Wireshark · Wireshark-users: [Wireshark-users] Capture filter when capturing from std-in not working

Wireshark-users: [Wireshark-users] Capture filter when capturing from std-in not working

From: Jim Balo <jimbalo22@xxxxxxxxx>

Date: Sun, 21 Sep 2008 10:27:43 -0700 (PDT)

Hi,

Could someone explain to me why the capture filter does not take effect when doing this:

cat snort.log.1221770409 | tshark -i - -f "host 10.10.2.4"

tshark shows all packages - not only those for host 10.10.2.4.

The above is just a simple test. What I really need to do is to merge a bunch of big pcap files + apply a filter + write the result to new pcap file. I tried this:

mergecap -w - snort.log.1221* | tshark -i - -w /test_0918.pcap -f "host 10.10.2.4"

But the filter did not work, so the output file hit the 2.1 GB limit, crashed and burned.

Any help would be great!

Thanks,

Follow-Ups:
- Re: [Wireshark-users] Capture filter when capturing from std-in not working
  - From: Sake Blok

Prev by Date: Re: [Wireshark-users] Wireshark 1.0.3 on OS X 10.5.5 SSL decryption
Next by Date: Re: [Wireshark-users] Capture filter when capturing from std-in not working
Previous by thread: Re: [Wireshark-users] Wireshark 1.0.3 on OS X 10.5.5 SSL decryption
Next by thread: Re: [Wireshark-users] Capture filter when capturing from std-in not working
Index(es):
- Date
- Thread