> From: Bill Meier <wmeier@xxxxxxxxxxx>
> Subject: Re: [Wireshark-users] -d option does not listen to the port I choose
> To: "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
> Date: Friday, September 3, 2010, 3:29 AM
> James Hozier wrote:
> > tshark -i en1 -tad -lnx -d tcp.port==7001,irc -R
> 'irc'
> >
> > When I start to see the packets on my screen, they are
> from port 6667,
> > not from port 7001. Anything from port 7001 I do not
> see, but it listens
> > to port 6667 for some reason? Why does it do this?
> >
> >
> >
>
> -d ... means decode any traffic on tcp port 7001 as
> irc;
> (it does *not* mean
> 'listen on this port)
> -R .. means filter on irc packets.
>
> So: I think the above means filter on irc:
> - on port 6667 which is the normal
> tcp port for irc
> (from looking at the irc
> dissector code);
> - and on on port 7001;
>
> If you want to just see port 7001 traffic you should use
> -R 'tcp.port==7001'
>
>
>
Okay so then I have this:
tshark -i en1 -tad -lnx -R 'tcp.port==7001'
How do I specify IRC only? And not other packets?