![]() ![]() And -R should be called the 'display filter', as that's the filter that is applied on both passes, which makes it more like a display filter. ![]() In that respect, -Y should be called the 'read filter' as it is applied only once during the first/single pass, while the file is being read. So, -Y is single pass and -R -r is two-pass. Tshark -nr input.pcap -R "ip.addr eq 1.2.3.4" Now, if I run the following command (1.11.x): Y packet displaY filter in Wireshark display filter syntax R packet Read filter in Wireshark display filter syntax Hint: currently it only supports libpcap files, not pcap-ng files! So, if you want to use WinDump for pcap-ng files, you need to convert them firstįrom tshark -h -2 perform a two-pass analysis Windump -nr input.pcap -w output.pcap "ip host 192.168.0.2" Windump -nr input.pcap -w output.pcap "icmp" It will work like tcpdump, meaning it accepts capture filters. Tshark -nr input.pcap -Y "ip.addr eq 192.168.0.2" -w output.pcap Tshark -nr input.pcap -Y "icmp" -w output.pcap Sure, you can also use 'display/read' filters, and the change in the syntax shouldn't be too complex, at least not for simple capture filters. It accepts tcpdump capture filters: ĭo I need to learn how to write an equivalent read filter for my capture filter? If you prefer a scripted solution, take a look at pcap-util2. ![]() Is there another tool that will do what I want,įor windows there is a tool called SplitCap, but the filter syntax is neither capture filter nor display filter. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |