This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: That string looks like a valid display filter; however, it isn’t a valid

0

here is the command I tried to use:

tshark -i eth1 -f diameter

And the output:

tshark: Invalid capture filter: "diameter"!
That string looks like a valid display filter; however, it isn't a valid capture filter (syntax error).
Note that display filters and capture filters don't have the same syntax, o you can't use most display filter expressions as capture filters.
See the User's Guide for a description of the capture filter syntax.

That is the user guide I found. But I didnt get any useful info according to my issue. Please help.
Edit: I would like to save only the diameter packets, but when I am using this command:

tshark -i eth1 -R diameter -w /home/ttcn3/traces/

I got this:

tshark: Read filters aren't supported when capturing and saving the captured packets.

So how can save only those packets which I would filter by protocol name?

asked 04 Feb '13, 06:41

HiB's gravatar image

HiB
16337
accept rate: 0%

edited 04 Feb '13, 06:57

2

With reference to question about filtering live captures with tshark, see this question. Note in particular the answer by @JeffMorriss

(04 Feb '13, 07:09) grahamb ♦

thanks, so this is a bug in tshark

(04 Feb '13, 08:30) HiB

The "bug" is more a consequence of how tshark works after the privilege separation work was done. As the comments on the bug show, some work is being done to improve the situation, but right now doing this doesn't work in release builds.

(04 Feb '13, 08:53) grahamb ♦

2 Answers:

1

The following might work for you: tshark -i eth1 -f "tcp port 3868"

answered 04 Feb '13, 10:16

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

thanks, in this case, but in generally I would do with protocol filtering, not with port filtering

(04 Feb '13, 10:23) HiB

You indicated that, "I would like to save only the diameter packets". That implies that you are in need of an appropriate capture filter in order to accomplish this. Since you need a capture filter, you must follow capture filter syntax, and not Wireshark's display filter syntax for the diameter protocol. See also the Wireshark diameter wiki page.

(04 Feb '13, 11:00) cmaynard ♦♦

0

The output you're seeing is a pretty good explanation of what's going wrong. Capture filters are used to limit the packets that are actually sniffed off the wire. You are probably looking for a Display Filter, which can be applied using the -R flag:

tshark -i eth1 -R diameter

I'm not familiar with the 'diameter' protocol, but I believe this will help you out.

answered 04 Feb '13, 06:51

zachad's gravatar image

zachad
331149
accept rate: 21%

thanks, but then I need to edit my original question, since I know this -R switch

(04 Feb '13, 06:53) HiB