On Tue, Mar 24, 2009 at 2:24 PM, Stephen Fisher
<steve@xxxxxxxxxxxxxxxxxx> wrote:
>
> On Tue, Mar 24, 2009 at 01:58:40PM +1100, Chris Henderson wrote:
>
>> I'm trying to get the tshark output (MAC addresses) to a file but the
>> output of tshark -i eth0 -n port 68 -R 'bootp.type == 2' -o
>> column.format:'"Source MAC","%hs"' is different from the output of
>> tshark -i eth0 -n port 68 -R 'bootp.type == 2' -o
>> column.format:'"Source MAC","%hs"' -w /tmp/mac
>>
>> In the latter I get number, time, ip -> ip, DHCP, transaction ID - all
>> of which I don't need. In the former, I only get the MAC address which
>> I need. Is there any way to dump only the MAC address to an output
>> file?
>
> Try redirecting the output of the first command to the file. The -w
> option is for writing raw packet data in libpcap format to a file.
Tried: tshark -i eth0 -n port 68 -R 'bootp.type == 2' -o
column.format:'"Source MAC","%hs"' > /tmp/capture &
but get nothing in the file. ps -ef | grep shark shows tshark -i eth0
-n port 68 -R bootp.type == 2 -o column.format:"Source MAC","%hs"
pkill shark - and I get the /tmp/capture file with all the entries!
Is there any way to get the entries in the file while running tshark
-i eth0 -n port 68 -R 'bootp.type == 2' -o column.format:'"Source
MAC","%hs"' > /tmp/capture & ?
Thanks.
