> so I'm still reading the manual, but could sure use a pointer here. > See the User's Guide for a description of the capture filter syntax. > That string isn't a valid capture filter (can't parse filter expression: > tshark: Invalid capture filter "udp.port=5060,sip" for interface > Running as user "root" and group "root". > nicholas $ sudo tshark -f udp.port=5060,sip > It says that this isn't a valid capture filter due to a syntax error: Hopefully no other protocols will be using it. Port 5060' " then that will limit the capture to that UDP port, and "sip" isn't part of the display filter syntax so that's why you get theĮrror, also note that capture filters don't use "=". To limit the packets read from a capture (and can't be used on a liveĬapture) with the -r flag (which also requires the -2 flag). The display filter syntax can also be used as a "Read" filter The display filter syntax is described here: The capture filter syntax is described here:ĭefault filter for tshark or can be preceded by the -f flag. Require full dissection so are lower performing. There are two filter syntaxes, the capture filter syntax, also known as BPFįilters, which is a high performance filter that limits which packets areĬaptured but concentrates on Layer 1-3 filtering and display filters whichĬan operate on any field in any protocol that Wireshark knows about but
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. Archives
June 2023
Categories |