![]() ![]() Both of these should produce the same output: tshark -r myFile.pcap -T fields -e frame.number -e ip.src -Y "ip.src = 10.0.0.0/8" Now, how can you tell it's a display filter and not a read filter? It becomes more evident when you also include the frame number. If you simply quote the filter, then it should work just fine: tshark -r myFile.pcap -T fields -e ip.src "ip.src >= 10.0.0.0 & ip.src, so something like this: tshark -r myFile.pcap -T fields -e ip.src -Y "ip.src = 10.0.0.0/8" The filter at the end is NOT a read filter at all, but rather it's a display filter and it MUST be quoted to be reliable. ![]() The problem here is that there are bugs in the tshark documentation. If the filter is specified with command-line arguments after the option arguments, it's a capture filter if a capture is being done (i.e., if no -r option was specified) and a read filter if a capture file is being read (i.e., if a -r option was specified). While the answer provided by is basically correct, according to the tshark man page, there's actually nothing wrong, per se, with your original attempt, at least according to the current documentation:Ī capture or read filter can either be specified with the -f or -R option, respectively, in which case the entire filter expression must be specified as a single argument (which means that if it contains spaces, it must be quoted), or can be specified with command-line arguments after the option arguments, in which case all the arguments after the filter arguments are treated as a filter expression. ![]()
0 Comments
Leave a Reply. |