Wireshark-users: Re: [Wireshark-users] Display dumpcap in real time

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 1 Nov 2011 12:41:01 -0700
On Nov 1, 2011, at 12:22 PM, Chip wrote:

> Question: when using dumpcap to write to a file, is there a switch for viewing the data on the monitor as it writes to file?

What do you mean by "viewing the data"?  Dumpcap has no switch to dump out the raw contents of the bytes in the packet as hex or ASCII, and will *never ever* have a switch to view the packets as dissected - one of the reasons why dumpcap *exists* is *not* to have any capability to dissect packets, so that, if a program has to run with special privileges in order to capture network traffic, there's a limited amount of code running with those privileges, and thus a limited amount of code that has to be considered "safe".  Wireshark and TShark run dumpcap to capture traffic; running Wireshark or TShark with any special privileges would be foolish.  (Yes, this means "don't run Wireshark or TShark as root.")

If you want to see dissected versions of the packets as they're captured, use TShark with the -S flag.

> And alas, if I only want to capture the ip addresses of the two endpoints to the conversation along with timestamp, what would be the proper filter to use?

What do you mean by "only want to capture the ip addresses of the two endpoints"?  If you mean you only want to capture traffic between two particular known-by-IP-address endpoints, you'd want a capture filter of

	host {IP address 1} and {IP address 2}