This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Writing a tshark filter through tcl

0

Hi,

I'm facing an issue while writing a tshark filter expression through tcl -- where we write the expression using 'contains'

For Eg. "tshark -r $captureFile -qz io,stat,0, eth.src==$sourceMac&&isis.lsp.lspid contains 'ff' "

I am able to write expressions which do not contain any spaces and use the == operator but I'm getting an error when trying to get the above expression working ....essentially : isis.lsp.lspid contains "ff"

Somehow, either the spaces in the expression or the "" around ff are causing it. Also tried escaping the "" (\"ff\")

One of the errors: Protocol ("ff") cannot appear on right-hand side of comparison.

But I'm not able to get it working even after trying a number of different combinations.

Any suggestions on how to get it working ?

Thanks, Niliss

asked 17 Aug '12, 13:07

Niliss's gravatar image

Niliss
6113
accept rate: 0%

edited 17 Aug '12, 13:12


One Answer:

1

The problem is that ff is a filter on its own, for "FOUNDATION Fieldbus" traffic. You should be able to work around it by adding a trailing colon, i.e., use "ff:".

And in case you ever want to test for fc, you will run into the same problem as this is the filter used for "Fibre Channel" traffic.

See also question 2274.

answered 18 Aug '12, 10:01

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

That works ! Thanks a lot !

(20 Aug '12, 07:01) Niliss