Jorge Miguel
Reputation: 31
Tshark filter protocol FIX
Can someone help me? I can not save file.
C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF4
6-79FF-4A97-802A-F6CEF5896D29} -Y fix -w C:\ts.pcap
tshark: Display filters aren't supported when capturing and saving the captured
packets.
Upvotes: 1
Views: 775
Answers (1)
Christopher Maynard
Reputation: 6304
As the message indicates, "tshark: Display filters aren't supported when capturing and saving the captured packets.", so you'll have to remove the display filter. In other words, remove -Y fix and it should work, although you'll be capturing all traffic without some sort of filter, so that's probably not what you want.
If you want to limit the packets that are captured, then you need to use a capture filter, not a display filter, and that is done via the -f option. As mentioned on this question over at the Wireshark Q&A site, a command such as follows may be useful to you:
C:\Program Files\Wireshark>Tshark -i rpcap://[172.16.254.6]/\Device\NPF_{CF9CFF46-79FF-4A97-802A-F6CEF5896D29} -f "tcp[20:4]=0x383D4649 and tcp[24:1]=0x58" -w C:\ts.pcap
Upvotes: 3
Related Questions
- Multiple protocol filtering on Wireshark
- How to force wireshark to show protocol names?
- Convert wireshark filter notation to tshark filter notation
- Multiple filter in tshark
- How to filter TCP option with wireshark?
- Using tshark filter with SIP tcp trace
- Resolving protocol names in custom tshark display filter
- How to capture only TCP traffic with tshark
- Wireshark filter syntax
- tshark: not able to apply filter while saving the captured packet