Wireshark-users: [Wireshark-users] capture filter
From: julius <mycommercials.79@xxxxxx>
Date: Tue, 07 Feb 2012 12:48:33 +0100
Hi,

i found this ftp filter on the wireshark mailing list:

tshark -r ftp.pcap -R "(ftp.response.code == 230 || ftp.request.command
== "PASS") || (ftp.request.command == "USER")"


in combination with this:
tshark -w ftp.capture -f "host SOMEIP"

it works, but how do you combine these two to only capture the ftp login attempts?
and why is it that capture filters do differ from display filters?


greets