I need to stop tshark (command line equi of wirehark) after a certain condition is met.
From the tshark man pages, I found that the stop condition can be applied in terms of duration, files, file size, and multi-file mode.
Is there any stopping condition that I can apply through the capture filter so that tshark stops the capture.
ex: After receiving a TCP SYN packet from a specific port number (condition used in the capture filter) tshark stops the capture.
Please answer this riddle.
source
share