Wireshark-users: Re: [Wireshark-users] tshark doesn't capture what wireshark does
José María Polvorosa Amor wrote:
Dear friend,
Example:
--I transfer a file from myServer to myPC. Wireshark is sniffing on myPC.
1. Wireshark (gui) is sniffing at the same time. Then I filter packets to show only "ftp or ftp-data". Everything OK
2. Tshark is sniffing at the same time. Command: tshark -i eth0 -p -R "ftp or ftp-data".
Sometimes it collect 1 packet, sometimes 4 packets, but always first packets,
never "FTP Response: Transfer complete" that is the last one
in a correct transfer or ftp-data that contents file-data.
I also updated my Fedora 6 kernel (2.6.20-1.2962), but I don't know if it affects, all my modules work properly.
So, I will be pleased if someone could help me, is it problem of the kernel or maybe the
update modified wireshark? I changed wireshark version, reinstall
new one and everything goes on. I'm a bit desesperated.
Information from : wireshark -v
wireshark 0.99.3a
Unless I'm missing something, "tshark -i eth0 -p -R "ftp or ftp-data"
should be OK.
First:
0.99.3 is quite old... Can you update to the current version 0.99.7.
(I'm not sure what you mean by "update modified wireshark" and "changed
wireshark version, re-install new one". Is the 0.99.3a a locally
modified Wireshark ? What 'new one' was installed ?)
Even though you are using Fedora 6, I believe downloading and installing
the latest Wireshark (from the Fedora-8 repository by using yum or
whatever) should work just fine.
Second:
Are you testing tshark as part of your "integrated in a C program"
setup? If so: does tshark give the correct results if run by itself ?
Third:
What does tshark -D show ??
