Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] how to apply a capture filter and savecaptured packets to

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Sreenivasulu Yellamaraju" <Sreenivasulu.Yellamaraju@xxxxxxx>
Date: Thu, 30 Dec 2010 09:47:05 +0530

Regards,
Sreenivasulu Y
Lead Engineer

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: Wednesday, December 29, 2010 6:49 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] how to apply a capture filter and
savecaptured packets to an output file using tshark

On 29 dec 2010, at 13:42, Sreenivasulu Yellamaraju wrote:


Hi Sake,
Thanks for the reply.

> I am trying to use tshark wit the following purpose :
> Run it for a duration of overnight(12 hours), capture only management
packets to/or from a known WLAN AP during those 12 hours and save the
output to a PCAP format file.

For long time captures it is better to use "dumpcap" (which is also used
by tshark and wireshark as capture engine) as it does not keep state of
conversations. It does not increase in memory usage while tshark and
wireshark will until they run out of memory (as you have noticed).

Does dumpcap support "-R <display-filter"? It doesn't support as per
it's help. Let me try out in my actual setup.

Also, I have figured that "-f <wlan-specific-capture-filter>" doesn't
work on Windows tshark.
I am sorry as I failed to mention that I was experimenting all the while
on a Windows based Wireshark+tshark combination.
This is because "tshark -i 2 -L" is showing the link type as "PPI" and
tshark thinks that WLAN specific capture filters cann't be applied to
link type PPI.

But "tshark -f <wlan-specific-capture-filter>" works on a linux laptop.
On that laptop, "tshark -i 2 -L" shows link type as IEEE_80211_RADIO.
Subsequently, "tshark -f <wlan-specific-capture-filter> -w output.pcap"
also worked.


> Trial 1
> ------
> The obvious solution is capture every packet in the air,save them and
process later :
> tshark -i wlan0 -w output.cap
> tshark -i output.cap -R "display filter" -w output-processed.cap [this
works only if above step works and output.pcap is generated after 12
hours]
>  
> But as I am running tshark for 12 hours and as there are hundreds of
thousands of packets in air, the file output.cap becomes either too
large of tshark itself is dying within 12 hours.
>  
> Next,I have tried the following  over a duration of 1 minute to see if
it works :
> tshark -i wlan0 -R "display filter" -w output-processed.cap
>  
> Although output-processed.cap is generated, it contains each and every
packet in air and there is no effect of display filter.
>  
> Is there any switch to tshark that I am missing?

This used to work before privilege separation was put in place and
wireshark and tshark started to use dumpcap. It is not easy to bring
back that functionality. There is an open bugreport for it
(https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234)

Thanks for pointing to this bug.

> Trial 2
> -------
> Next, I have tried to apply capture filter in WireShark's GUI.
>  
> I have tried some sample capture filters but none of them are accepted
by the capture dialog box.
> type mgt
> subtype assocreq or subtype assocresp
>  
> Is there anything I am missing while entering these capture filters in
Wireshark GUI ?

You have to use the BPF packet filter syntax. There is a good post on
LoveMyTool about display and capture filters for wlan. Have a look at:

http://www.lovemytool.com/blog/2010/02/wireshark-wireless-display-and-ca
pture-filters-samples-by-joke-snelders.html

It does not specifically mention management frames, but I'm sure you can
work out the capture filter by following her examples.

Joke has put up an excellent page with WLAN specific capture filters
which helped me a lot. As I have noted earlier WLAN specific
capture filters work only when supported link type is IEEE_80211_RADIO.
Since I was looking for a solution on Windows based tshark,
it seems to be not possible.

Cheers,


Sake

________________________________________________________________________
___
Sent via:    Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
 
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe


 To report this email as spam click
https://www.mailcontrol.com/sr/wQw0zmjPoHdJTZGyOCrrhg==
N5Su7zTX1n!cIzCvGdoNz5+gO9O7K8ExUzwFL4l1WzKMQ== .


Member of the CSR plc group of companies. CSR plc registered in England and Wales, registered number 4187346, registered office Churchill House, Cambridge Business Park, Cowley Road, Cambridge, CB4 0WZ, United Kingdom
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube