Chip,
Filter on dumpcap (-f), are capture filters, which restrict
what is being captured to file. Display filters (-R on tshark)
restrict what is being display, but don't effect what is
captured.
You can use tshark, but just set it to say stop after ten
minutes (using say -a duration:600), to limit how much context
and hence memory tshark consumes. You then just need a script
wrapper to loop starting new instances of tshark, like so:-
while [ 1 ]; do tshark -i eth1 -a duration:600 -T fields -e
frame.time -e ip.src -e ip.dst; done
Regards, Martin
MartinVisser99@xxxxxxxxx
On 2 November 2011 07:14, Chip
<jeffschips@xxxxxxxxx>
wrote:
On 11/1/2011 4:07 PM, Martin Visser wrote:
-T fields -e frame.time -e ip.src -e ip.dst
I need to use dumpcap because it has a smaller memory
footprint. So if dumpcap cannot display to screen -- I guess
I will have to live with that for now -- what are the filters
to only display http and https traffic when using dumpcap -- I
cannot find any reference to the filtering techniques when
using dumpcap. Or is that intentional -- it just dumps
everything.
Thanks.
Thanks Martin -- that's perfect and succinct information. What I've
been looking for.