Hi,
I am trying to use tshark wit the following purpose :
Run it for a duration of overnight(12 hours), capture only
management packets to/or from a known WLAN AP during those 12 hours and save
the output to a PCAP format file.
This is my sniffer setup:
WireShark version 1.2.9 (SVN Rev 33171)
winpcap 4.1.1, libpcap 1.0
Tshark version 1.2.9(SVN Rev 33171)
Adapter : AirPCapNx from CACE technologies
Trial 1
------
The obvious solution is capture every packet in the air,save
them and process later :
tshark -i wlan0 -w output.cap
tshark -i output.cap -R
"display filter" -w output-processed.cap [this works only if above
step works and output.pcap is generated after 12 hours]
But as I am running tshark for 12 hours and as there are
hundreds of thousands of packets in air, the file output.cap becomes either too
large of tshark itself is dying within 12 hours.
Next,I have tried the following over a duration of 1
minute to see if it works :
tshark -i wlan0 -R "display
filter" -w output-processed.cap
Although output-processed.cap is generated, it contains each
and every packet in air and there is no effect of display filter.
Is there any switch to tshark that I am missing?
Trial 2
-------
Next, I have tried to apply capture filter in WireShark’s
GUI.
I have tried some sample capture filters but none of them
are accepted by the capture dialog box.
type mgt
subtype assocreq or subtype assocresp
Is there anything I am missing while entering these capture
filters in Wireshark GUI ?
Regards,
Sreenivasulu Y
Lead Engineer
