Wireshark-users: [Wireshark-users] Tshark -R option
From: sean bzd <seanbzd@xxxxxxxxx>
Date: Wed, 2 Sep 2009 15:24:46 -0400
Folks,

I'm using the following tshark command to capture some packets; i was expecting that only the packets satisfying the read filter condition "myprotodissector.something==528" would be written to the output file C:\Traffic.pcap; but this is not happening. The .pcap file contains lots of other packets not matching the read filter. I was expecting to see ONLY the packets satisfying the read filter to be in the output file. What is interesting though is while the capture is in progress, the stdout showing the number of packets is correctly indicating the # of packets satisfying the read filter. (for example, if I captured 100 packets, and 2 satisfied the read filter, stdout shows 2 but output file contains all the 100 packets).


C:\Program Files\Wireshark>tshark.exe -i 4 -x -t ad -R "myprotodissector.something==528" -b filesize:5000 -w C:\Traffic.pcap

This is what the manual says:

-R <read (display) filter>

Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file; packets not matching the filter are discarded rather than being printed or written.



A capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter _expression_ must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter _expression_. Capture filters are supported only when doing a live capture; read filters are supported when doing a live capture and when reading a capture file, but require TShark to do more work when filtering, so you might be more likely to lose packets under heavy load if you're using a read filter. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified).