Wireshark-users: Re: [Wireshark-users] how to apply a capture filter and save captured packets to
From: Sake Blok <sake@xxxxxxxxxx>
Date: Wed, 29 Dec 2010 14:18:50 +0100
On 29 dec 2010, at 13:42, Sreenivasulu Yellamaraju wrote:

> I am trying to use tshark wit the following purpose :
> Run it for a duration of overnight(12 hours), capture only management packets to/or from a known WLAN AP during those 12 hours and save the output to a PCAP format file.

For long time captures it is better to use "dumpcap" (which is also used by tshark and wireshark as capture engine) as it does not keep state of conversations. It does not increase in memory usage while tshark and wireshark will until they run out of memory (as you have noticed).

> Trial 1
> ------
> The obvious solution is capture every packet in the air,save them and process later :
> tshark -i wlan0 -w output.cap
> tshark -i output.cap -R "display filter" -w output-processed.cap [this works only if above step works and output.pcap is generated after 12 hours]
>  
> But as I am running tshark for 12 hours and as there are hundreds of thousands of packets in air, the file output.cap becomes either too large of tshark itself is dying within 12 hours.
>  
> Next,I have tried the following  over a duration of 1 minute to see if it works :
> tshark -i wlan0 -R "display filter" -w output-processed.cap
>  
> Although output-processed.cap is generated, it contains each and every packet in air and there is no effect of display filter.
>  
> Is there any switch to tshark that I am missing?

This used to work before privilege separation was put in place and wireshark and tshark started to use dumpcap. It is not easy to bring back that functionality. There is an open bugreport for it (https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234)


> Trial 2
> -------
> Next, I have tried to apply capture filter in WireShark’s GUI.
>  
> I have tried some sample capture filters but none of them are accepted by the capture dialog box.
> type mgt
> subtype assocreq or subtype assocresp
>  
> Is there anything I am missing while entering these capture filters in Wireshark GUI ?

You have to use the BPF packet filter syntax. There is a good post on LoveMyTool about display and capture filters for wlan. Have a look at:

http://www.lovemytool.com/blog/2010/02/wireshark-wireless-display-and-capture-filters-samples-by-joke-snelders.html

It does not specifically mention management frames, but I'm sure you can work out the capture filter by following her examples.

Cheers,


Sake