I have a bunch of wireshark captures I need to mine data from. Tshark seems to fit the bill but this doesn't support filtering (-f) by the look of it, I simply get:
tshark -x -r Run18.pcapng -f dst 10.53.30.41
Is there a way round this or is there some other tool that could do it – ideally producing the same sort of output (bytes and text)?
Best Answer
Tshark is actually extremely powerful for filtering, and has two kinds: capture filters wih
-f
and display filters with-Y
Tshark documentation says:
See
Your pcap files already have been captured, which means that you don't use a capture filter on them, you use a display filter.
Note the quotes to protect the filter from the shell.