Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] capture filter

From: julius <mycommercials.79@xxxxxx>
Date: Tue, 07 Feb 2012 12:48:33 +0100
Hi,

i found this ftp filter on the wireshark mailing list:

tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
== "PASS") || (ftp.request.command == "USER")"


in combination with this:
tshark -w ftp.capture -f "host SOMEIP"

it works, but how do you combine these two to only capture the ftp login attempts?
and why is it that capture filters do differ from display filters?


greets