Wireshark · Wireshark-users: Re: [Wireshark-users] Value too large for defined data type

Wireshark-users: Re: [Wireshark-users] Value too large for defined data type

From: Andrej van der Zee <andrejvanderzee@xxxxxxxxx>

Date: Wed, 5 Aug 2009 23:15:22 +0900

Hi,

cat big.cap | dumpcap -i- -w smaller.cap -b filesize:65536

I was wondering why the capture filter is not working as I expect. I want to dump only the packets that have a specific ip for src. I do it like this:

cat big.cap | dumpcap -i- -w smaller.cap -b filesize:65536 -f "src host 1.2.3.4"

But somehow all the packets are dumped anyway. Am I misunderstanding something?

Somehow the capture filter _expression_ is completely ignored when dumpcap reads from a pipe: When I use a bogus _expression_ it does not complain at all.

Is there any way to use capture filters when dumpcap reads from a pipe? I know I can do it in multiple steps with tshark, but this is much less convenient.

Thank you,
Andrej

References:
- [Wireshark-users] Value too large for defined data type
  - From: Andrej van der Zee
- Re: [Wireshark-users] Value too large for defined data type
  - From: Sake Blok
- Re: [Wireshark-users] Value too large for defined data type
  - From: Andrej van der Zee
- Re: [Wireshark-users] Value too large for defined data type
  - From: Andrej van der Zee

Prev by Date: Re: [Wireshark-users] Value too large for defined data type
Next by Date: [Wireshark-users] mergecap: another size limitation?
Previous by thread: Re: [Wireshark-users] Value too large for defined data type
Next by thread: Re: [Wireshark-users] Can't Change Time Display Format (Sake Blok)
Index(es):
- Date
- Thread