Reputation: 2033
tshark capture only dns or http traffic with specific ip adress and write to file
Hello I want to capture from a specific ip adress dns or http or http2 traffic and save it to a file. I tried this:
tshark -i xxx -w capture-output.pcap -T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
I get this error: tshark: Display filters aren't supported when capturing and saving the captured packets.
Can somebody help me?
Upvotes: 0
Views: 14065
Answers (1)
Reputation: 3186
The error gives you as much information as you need - you can't use a display filter when saving a packet capture. You have two options here:
Option 1: Save the capture and use a display filter afterwards
This would look something like
# Write the initial file with incoming packets
$ tshark -i xxx -w capture-output.pcap
# Filter out the traffic we don't want
$ tshark -r capture-output.pcap -w filtered-output.pcap \
-T fields -e ip.src -Y "ip.src == 192.168.178.xxx and (dns or http or http2)"
Option 2: Use a capture filter
Use a capture filter instead. Capture filters use a special syntax that is different from display filters.
The equivalent capture filter you would want to use give your display filter is
$ tshark -w filtered.pcap -f "src net 192.168.178.0/24 and (udp port 53 or tcp port 80 or tcp port 443)"
Upvotes: 4
Related Questions
- How to filter wireshark to see only dns queries that are sent/received from/by my computer?
- Filter a PCAP file using tshark : show ip source>ip destination:info in a txt file
- tshark.exe: capture traffic without content, only headers of packets
- tshark: capture specific bytes from a packet data (content)
- TSHARK DNS to LOGFILE
- tshark packet capture filter by request url
- Capture the hostname only
- Wireshark filter for filtering both destination-source IP address and the protocol
- how to capture HTTP packets in wireshark
- How to capture only TCP traffic with tshark