Read filters haven't worked like this in quite a while (since 0.99.7).
The bug:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=2234
... is listed in the "known problems" of each release since then.
It is possible to build a pipeline which will do the same thing, for
example:
% dumpcap -w - | tshark -R icmp -r - -w /tmp/foo.pcapng
Muhammad El-Sergani wrote:
Hello,
At the moment I'm using v1.4.2, I know it's not the latest, but had to
have it after a recent switch upgrade.
Can't remember at the moment the older version I was using, but simply
typing:
# tethereal/tshark -i ethX -w trace.pcap -R 'sip.To contains 'xxxxxxx''
would work :)
Thanks
//M
On Thu, Mar 7, 2013 at 11:38 PM, Jaap Keuter <jaap.keuter@xxxxxxxxx
<mailto:jaap.keuter@xxxxxxxxx>> wrote:
On 03/07/2013 11:27 AM, Muhammad El-Sergani wrote:
> Hello all,
>
> After a recent Wireshark update on one of our SIP servers, we are
unable to
> apply a read filter while writing the capture file, but rather
have to capture
> everything to a host, write that to a file then apply our read
filters when
> reading from the file.
>
> This is hard to maintain as our SIP traffic is huge, and just
capturing
> everything is unpractical.
>
> Is there a known/method/practice/script that can be used to allow
users to apply
> a read filter to a trace session while writing the dump to a file?
>
> Everything is Linux based.
>
> Thanks
> in advance!
> //M
>
Hi,
Can you specify what a recent Wireshark update means? What version
did you have
before and what version do you have now?
Thanks,
Jaap