Re: Display dumpcap in real time

[Chip <jeffschips () gmail com>]

On 11/1/2011 4:27 PM, Martin Visser wrote:
> Chip,
>
> Filter on dumpcap (-f), are capture filters, which restrict what is 
> being captured to file. Display filters (-R on tshark) restrict what 
> is being display, but don't effect what is captured.
>
> You can use tshark, but just set it to say stop after ten minutes 
> (using say -a duration:600), to limit how much context and hence 
> memory tshark consumes.  You then just need a script wrapper to loop 
> starting new instances of tshark, like so:-
>
> while [ 1 ]; do tshark -i eth1 -a duration:600 -T fields -e frame.time 
> -e ip.src -e ip.dst; done
>
>
> Regards, Martin
>
> MartinVisser99 () gmail com <mailto:MartinVisser99 () gmail com>
>
>
> On 2 November 2011 07:14, Chip <jeffschips () gmail com 
> <mailto:jeffschips () gmail com>> wrote:
>
>     On 11/1/2011 4:07 PM, Martin Visser wrote:
>
>         -T fields -e frame.time -e ip.src -e ip.dst
>
>     Thank Martin.
>
>     I need to use dumpcap because it has a smaller memory footprint.
>      So if dumpcap cannot display to screen -- I guess I will have to
>     live with that for now -- what are the filters to only display
>     http and https traffic when using dumpcap -- I cannot find any
>     reference to the filtering techniques when using dumpcap.  Or is
>     that intentional -- it just dumps everything.
>
>     Thanks.
Thanks Martin -- that's perfect and succinct information.  What I've 
been looking for.

Thank you and have a great day.

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe