Good morning,
I am using the following syntax in an attempt to do the
following:
Syntax:
/usr/local/bin/tshark -w /home/active_cap/ -d
tcp.port==5060,sip -d tcp.port==68
01,http -d tcp.port==6802,http -d tcp.port==6800,http -b
duration:900 -b filesize
:50000 -i vr0
Goals:
1) Write only
packets destined to/from port 5060, 6800, 6801 and 6802 (Preferably without
decoding the packet)
2) The file
should roll-over after 900 seconds or 50mbytes
Currently, the above syntax is capturing _everything_, not just the specified
ports. Is the syntax incorrect, or is tshark not capable of doing what I
want?
Thanks,
Les