Hi,
cat big.cap | dumpcap -i- -w smaller.cap -b filesize:65536
I was wondering why the capture filter is not working as I expect. I want to dump only the packets that have a specific ip for src. I do it like this:
cat big.cap | dumpcap -i- -w smaller.cap -b filesize:65536 -f "src host 1.2.3.4"
But somehow all the packets are dumped anyway. Am I misunderstanding something?
Somehow the capture filter _expression_ is completely ignored when dumpcap reads from a pipe: When I use a bogus _expression_ it does not complain at all.
Is there any way to use capture filters when dumpcap reads from a pipe? I know I can do it in multiple steps with tshark, but this is much less convenient.
Thank you,
Andrej