On Mar 23, 2009, at 8:24 PM, Stephen Fisher wrote:
Try redirecting the output of the first command to the file. The -w
option is for writing raw packet data in libpcap format to a file. To
quote the tshark man page:
If you want to write the decoded form of packets to a file, run
TShark
without the -w option, and redirect its standard output to the file
(do not use the -w option).
At least with the top-of-tree SVN version of tshark, you can combine
the two:
tshark -S -i eth0 -n port 68 -R 'bootp.type == 2' -o
column.format:'"Source MAC","%hs"' -w /tmp/mac
"-S" says it should both print packet information to the standard
output *and* write to the file specified in the "-w" option.
(Obviously, specifying the standard output to the "-w" flag would be a
Very Bad Idea in that case.)