This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I use filter on the command line

0

I am trying use filter like this. But it return error on -R options? It looks like it doesn't like brackets any clues how the syntax should be?

"C:\Program files\Wireshark\wireshark" -r "2012-07-27_154856_10.36.1.210_4.pcap" -R "(ip.addr==x.x.x.x and gtp) || ( ranap.gTP_TEI == 0x000059ca or sctp.port==xxxxxx and (frame.time > "Jul 27, 2012 16:36:00" and frame.time < "July 27, 2012 16:38:00"))"

asked 01 Aug '12, 01:52

Dees's gravatar image

Dees
1333
accept rate: 0%

One Answer:

0

The problem is the use of quotes, not the brackets. You need to escape the inner quotes with \", otherwise the DOS commandline get's confused. Please try this:

"C:\Program files\Wireshark\wireshark" -r "2012-07-27_154856_10.36.1.210_4.pcap" -R "(ip.addr==x.x.x.x and gtp) || ( ranap.gTP_TEI == 0x000059ca or sctp.port==xxxx and (frame.time > \"Jul 27, 2012 16:36:00\" and frame.time < \"July 27, 2012 16:38:00\"))"

Regards
Kurt

answered 01 Aug '12, 02:17

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Its still giving same error.

Unexpected end of filter string

The filter expression "(ip.addr=192.168.0.1 and gtp) || (" isn't a valid display filter.

(01 Aug '12, 02:23) Dees

it works on my Win 7 system. What is your OS? Maybe you should use OR instead of ||.

(01 Aug '12, 02:31) Kurt Knochner ♦