0

I would like to use one tshark command that would: open a capture file, apply a filter to its contents and then output a fixed number of resulting packets. Currently, I have come up with

tshark -r <infile> -Y <display filter> -w <outfile> -c <number of packets>

The problem is that -c <number of packets> works before the display filter is applied, i.e. it applies the <display filter> to the first <number of packets> of the original capture file which is not what I want. How do I reverse the order? I've been reading the manpage with no luck so far.

alisianoi
  • 2,003
  • 3
  • 31
  • 46

1 Answers1

2

TShark:
tshark -r server_01.pcapng -l -Y dns > tshark -c 100 -w server_01_dns100.pcapng