How do I capture three hosts with Wireshark via command line?

Question

I am successfully able to capture with this command line. C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w c:\capture.pcap

I have tried this method and it pops the Wireshark command line help window. C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w -f 10.0.0.1 and 10.0.0.2 and 10.0.0.3 c:\capture.pcap

I have also tried this way. C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w -f host 10.0.0.1 and 10.0.0.2 and 10.0.0.3 c:\capture.pcap

Neither one of the above work. they both get the same error. I know it is something simple, however I do not know Wireshark well enough.

Thanks.

Answer 1

You have a few problems:

• The filename (c:\capture.pcap) must immediately follow the -w flag.
• The filter must be "quoted" if it contains spaces.
• You must specify the "host" keyword before each address.
• The logical operation you want is almost certainly "or", not "and"

Given the above, try: C:\Program Files\Wireshark\wireshark.exe -i 4 -k -b duration:3600 -w c:\capture.pcap -f "host 10.0.0.1 or host 10.0.0.2 or host 10.0.0.3"