tshark

tshark -i wlan3 -f "host 1.2.3.4 and port 80" -c 1000 -w /tmp/test.dump


"Wireshark & Ethereal Network Protocol Analyzer Toolkit"

In these situations, it is best to use Tshark (the console-based version of
Wireshark) to do the actual capture and initial processing of the data. To cap-
ture from an interface to a file , use this command:
tshark –i -w
If you have a limited amount of space and/or want to limit the size of your
capture files, you can use the ring buffer functionality with Tshark to capture
from interface to capture files with a max-
imum size each and a base filename by executing the fol-
lowing at the command line:
tshark –i -w -b -a
filesize:

Once you have captured the data you need, you can use Tshark to reduce
the capture to a more manageable size. To use a display filter string to filter a capture file and save the results to a new capture
file , execute the following at the command line:
tshark –r -w -R
If you need to extract all packets from the capture file that were cap-
tured between Jan 8, 2004 22:00 and Jan 8, 2004 23:00, execute the fol-
lowing command:
tshark –r -w -R '(frame.time >= "Jan 8, 2004
22:00:00.00" ) && (frame.time <= "Jan 8, 2004 23:00:00.00")'
Once you have reduced the data down to a size where Wireshark’s per-
formance is workable, open the Capture file in Wireshark to perform more
involved analysis.