Wireshark · Wireshark-users: Re: [Wireshark-users] -d option does not listen to the port I choose

Wireshark-users: Re: [Wireshark-users] -d option does not listen to the port I choose

From: Sake Blok <sake@xxxxxxxxxx>

Date: Fri, 3 Sep 2010 07:34:15 +0200

On 3 sep 2010, at 06:26, James Hozier wrote:

>>> tshark -i en1 -tad -lnx -d tcp.port==7001,irc -R
>> 'irc'
>>> 
>>> When I start to see the packets on my screen, they are
>> from port 6667,
>>> not from port 7001. Anything from port 7001 I do not
>> see, but it listens
>>> to port 6667 for some reason? Why does it do this?
>> 
>> -d ...  means decode any traffic on tcp port 7001 as
>> irc;
>>         (it does *not* mean
>> 'listen on this port)
>> -R .. means filter on irc packets.
>> 
>> If you want to just see port 7001 traffic you should use
>> -R 'tcp.port==7001'
> 
> Okay so then I have this:
> tshark -i en1 -tad -lnx -R 'tcp.port==7001'
> 
> How do I specify IRC only? And not other packets?

Combine the two:

tshark -i en1 -tad -lnx -d tcp.port==7001,irc -R "tcp.port==7001 && irc"

This command will interpret traffic on poort 7001 as IRC (-d tcp.port==7001,irc) and then use a display filter to only show traffic that was on port 7001 (-R "tcp.port==7001...), but only those packets that are dissected as IRC (...&& irc").

Hope this helps,
Cheers,


Sake

References:
- Re: [Wireshark-users] -d option does not listen to the port I choose
  - From: James Hozier

Prev by Date: Re: [Wireshark-users] dumpcap permissions on files created
Next by Date: [Wireshark-users] need help
Previous by thread: Re: [Wireshark-users] -d option does not listen to the port I choose
Next by thread: [Wireshark-users] need help
Index(es):
- Date
- Thread