I want to use Wireshark command line (tshark.exe) to capture the icmp traffic.
I used this and worked well for src and dst host-
C:\Program Files\Wireshark>tshark.exe -f "src or dst host 192.192.1.1" -i 1 -a duration:10 -w C:\temp\mycap.cap
This works fine. But what if i just want to capture the traffic for protocol "icmp" and save the traffic to a file. This does not work-
C:\Program Files\Wireshark>tshark.exe -f "icmp" -i 1 -a duration:10 -w C:\temp\mycap3.cap
If i do this then it works-
C:\Program Files\Wireshark>tshark.exe -f "icmp"
For the above command, is there any way to know the wireshark has captured a particular count of icmp traffic with given list of ip? Lets say 10 count of icmp traffic for 10 different ip.
Or, what do i need to change the command to save the icmp traffic to a file with given duration?
This does not work
What "does not work" about it? Does it not write any packets to the file? If so, are you certain that there were ICMP packets to write?
Try doing a "ping" command in another command window while you're running TShark; if that captures packets, perhaps the problem is just that no ICMP traffic was sent or received during the 10 seconds that TShark was capturing.
If i do this then it works
That command doesn't have a time limit, so if it runs for a longer period of time, perhaps that's long enough that some ICMP packets were sent or received.
For the above command, is there any way to know the wireshark has captured a particular count of icmp traffic with given list of ip?
Well, if this were a BSD-flavored UN*X, such as *BSD or OS X, you could type control-T and it'd report how many packets it'd captured. However, this is Windows, so that doesn't work.
However, if you don't run TShark with the -q flag, it should print out a running count of captured packets; you should have seen that count with C:\Program Files\Wireshark>tshark.exe -f "icmp".
Lets say 10 count of icmp traffic for 10 different ip.
TShark will report captured packet counts, but it won't report a count of addresses, just the total number of packets.
Or, what do i need to change the command to save the icmp traffic to a file with given duration?
The first command you typed, with -a duration:10, is the correct command for a duration of 10 seconds. Perhaps what you need to change is the duration, for example, -a duration:120 to capture for 2 minutes, in order to see ICMP packets. I ran tcpdump on my machine for longer than 10 seconds, with a filter of "icmp", and saw no ICMP traffic; ICMP packets either indicate problems (which are, hopefully, rare on your network) or the result of information queries and pings (which may also be rare), so you simply might not have a lot of ICMP traffic.