Wireshark-bugs: [Wireshark-bugs] [Bug 2234] Filtering tshark captures with display filters (-R)
Date: Thu, 23 Aug 2012 08:06:25 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234

--- Comment #23 from Andrzej Dopierała <undefine@xxxxxxxxxxxxx> 2012-08-23 08:06:25 PDT ---
(In reply to comment #22)
> From r43102 it's possible to use pipe as workaround.
> 
> Instead of:
> $ tshark -i XXX -R 'yourfilter' -w file.pcap
> do:
> $ dumpcap -i XXX -w - | tshark -r - -R 'yourfilter' -w file.pcap
> 
> It's worthy to mention that wiretap don't have any special handling of pipes,
> and it'll read data in whole I/O block size for pipe (typically 4096B). 
> Captured data will be saved with delay, and you might also lose last 4K of
> data.

undefine@uml:~$ sudo dumpcap -i wlan0 -w - | tshark -r - -R 'sip' -w file.pcap
File: -
Packets: 59 tshark: The file "-" could not be opened: Illegal seek.
Packets: 62 Packets dropped: 0

doesn't work on all tshark versions. here i have 1.4.

I just backported tshark from 0.99 to lenny and squeeze and it works fine :)

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.