Wireshark-users: Re: [Wireshark-users] T-Shark capture filter question
Date Prev · Date Next · Thread Prev · Thread Next
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 31 Aug 2011 16:31:32 -0700
On Aug 31, 2011, at 3:29 PM, Steve Evans wrote (twice - I'm replying only to the first message):

> I'm trying to use T-shark to capture my Cisco wireless access point traffic in sniffer mode. In accordance I need to accept packets from UDP port 5555 and decode it as udp.port==5000,airopeek. Its easy enough to do in the gui but T-shark complains about my capture filter.
> 
> My filter:
> tshark -i 1 -f "udp.srcport == 5555" -b filesize:20480 -b files:2 -d udp.port==5000,airopeek -w wfn-sniffed.cap

It's complaining about your capture filter because you used Wireshark's display filter syntax rather than libpcap/WinPcap's capture filter syntax; capture filtering is done by libpcap/WinPcap or, in OSes where they rely on kernel-mode code to do the filtering (Linux, *BSD, Mac OS X, Windows with WinPcap, some others), said code, so the capture filters use that syntax.

> In summary, I need to take packets from udp port 555

If you mean "555", the libpcap/WinPcap syntax for that is "udp src port 555".  If you meant "5555", that's "udp src port 5555".

> and decode them as udp 5000 airopeek, all using t-shark.

What do you mean by "as udp 5000 airopeek"?  "-d udp.port=5000,airopeek" means "decode all packets to or from port 5000 using the dissector for the airopeek protocol".  If you combine "-f udp src port 5555" and "-d udp.port==5000,airopeek", it will capture only traffic coming from UDP port 5555, and will decode packets going *to* UDP port 5000 as airopeek packets. Packets from port 5555 to some other port will *NOT* be dissected as airopeek - and packets going to port 5000 would be dissected as airopeek *without* the "-d" option, as that's the default port for airopeek.

Furthermore, the command you give will save captured packets to the file wfn-sniffed.cap, but, as TShark won't be dissecting the packets, the "-d" option is completely irrelevant; the "-d" flag is *NOT* saved in the capture file (the pcap file format has no mechanism for saving information of that sort and no mechanism for adding that ability; the pcap-ng format is extensible, but currently has no record types in which to store an indication such as "decode traffic to or from port 5555 as airopeek"), so if you open that file in Wireshark, you'll *still* have to specify "decode traffic to or from port 5555 as airopeek" in the GUI.

Note that, if all you're doing is capturing traffic to a file to look at later, you might as well use dumpcap - tshark, in that case, just acts as a front-end to dumpcap.