Les Bowditch wrote:
> Currently, the above syntax is capturing _/everything/_, not just the
> specified ports. Is the syntax incorrect,
Yes.
From the man page:
-d <layer type>==<selector>,<decode-as protocol>
Specify that if the layer type in question (for example, tcp.port
or udp.port for a TCP or UDP port number) has the specified selec-
tor value, packets should be dissected as the specified protocol.
Example: -d tcp.port==8888,http will decode any traffic running
over TCP port 8888 as HTTP.
The "-d" flag doesn't affect what gets captured; it affects how what
gets captured is *interpreted*.
And if you're running with "-w" and without "-S", no dissection, and no
interpretation, is done, so not only does "-d" not affect what gets
captured, it doesn't affect *anything* in your example.
What you want is
tshark -w /home/active_cap/ -b duration:900 -b filesize:50000 -i vr0
tcp port 5060 or tcp port 6800 or tcp port 6801 or tcp port 6802
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
