Wireshark-users: Re: [Wireshark-users] Apply read filter while writing to file
From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Fri, 08 Mar 2013 18:18:33 -0500
Read filters haven't worked like this in quite a while (since 0.99.7). The bug:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234

... is listed in the "known problems" of each release since then.

It is possible to build a pipeline which will do the same thing, for example:

% dumpcap -w - | tshark -R icmp -r - -w /tmp/foo.pcapng

Muhammad El-Sergani wrote:
Hello,

At the moment I'm using v1.4.2, I know it's not the latest, but had to have it after a recent switch upgrade.

Can't remember at the moment the older version I was using, but simply typing:
# tethereal/tshark -i ethX -w trace.pcap -R 'sip.To contains 'xxxxxxx''
would work :)


Thanks
//M


On Thu, Mar 7, 2013 at 11:38 PM, Jaap Keuter <jaap.keuter@xxxxxxxxx <mailto:jaap.keuter@xxxxxxxxx>> wrote:

    On 03/07/2013 11:27 AM, Muhammad El-Sergani wrote:
     > Hello all,
     >
     > After a recent Wireshark update on one of our SIP servers, we are
    unable to
     > apply a read filter while writing the capture file, but rather
    have to capture
     > everything to a host, write that to a file then apply our read
    filters when
     > reading from the file.
     >
     > This is hard to maintain as our SIP traffic is huge, and just
    capturing
     > everything is unpractical.
     >
     > Is there a known/method/practice/script that can be used to allow
    users to apply
     > a read filter to a trace session while writing the dump to a file?
     >
     > Everything is Linux based.
     >
     > Thanks
     > in advance!
     > //M
     >

    Hi,

    Can you specify what a recent Wireshark update means? What version
    did you have
    before and what version do you have now?

    Thanks,
    Jaap