Wireshark-dev: Re: [Wireshark-dev] Capture filter

From: Tharaneedharan Vilwanathan <vdharani@xxxxxxxxx>
Date: Fri, 16 Sep 2011 11:48:01 -0700
Hi All,

Reposting since it doesn't seem to have reached. Sorry if it is a repeat.

Regards
dharani

On Thu, Sep 15, 2011 at 3:25 PM, Tharaneedharan Vilwanathan
<vdharani@xxxxxxxxx> wrote:
> Hi All,
>
> I have a quick question on capture filter.
>
> I use named pipe to pass the packets to tshark. With a capture filter,
> I tried to (a) store packets, (b) display and (c) store and display
> the packets.
>
> $ tshark -i pipe_to_tshark -w test.pcap -f 'udp port 1900'
> $ tshark -i pipe_to_tshark -S -f 'udp port 1900'
> $ tshark -i pipe_to_tshark -w test.pcap -S -f 'udp port 1900'
>
> In all the above cases, packets dont seem to be filtered. From the
> documentation, it looks like capture filter is valid only for live
> traffic.
>
> Is the traffic arriving via named pipe considered live traffic? If so,
> why is the filtering not happening? If not, why tshark doesn't throw
> an error message?
>
> I remember capture filter being applied in kernel for live traffic
> which doesn't apply for my case above but just wanted to confirm,
> since I didnt see any error message for the above usages.
>
> I tried tshark 1.0.7 but I can try a later version if thats the problem.
>
> Please share your thoughts. Also, appreciate any pointers on capture
> filter implementation.
>
> Thanks
> dharani
>