Running TShark in a batch file with -r attempts to capture traffic rather than reading the file

Question

tshark -r <file> -Y "(ip.addr==10.1.1.2 or ip.addr==10.2.4.12 or ip.addr==10.5.3.6) and ("http.request.method==GET" or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==443) or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==22) )"

When i attempt to autorun this code using batch file process, I discovered that it does not accept it, rather it attempts to capture the traffic on my network. I want it to dissect the specified file. Is there a way to instruct it (tshark) to dissect the given file, and not to capture traffic..?

Thanks in anticipation of your response.

Answer 1

Did you put "<file>" literally in your batch file? The word "<file>" should be replaced by the name of the packet capture file that you want to analyze.

Answer 2

tshark -r <file> -Y "(ip.addr==10.1.1.2 or ip.addr==10.2.4.12 or ip.addr==10.5.3.6) and ("http.request.method==GET" or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==443) or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==22) )"
When i attempt to autorun this code using batch file process, I discovered that it does not accept it

The reason is the wrong number of quotes " in the argument string. Your shell will get confused by the additional quotes around http.request.method.

Please try this

tshark -r <file> -Y "(ip.addr==10.1.1.2 or ip.addr==10.2.4.12 or ip.addr==10.5.3.6) and (http.request.method==GET or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==443) or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==22) )"

or this (single quotes)

tshark -r <file> -Y '(ip.addr==10.1.1.2 or ip.addr==10.2.4.12 or ip.addr==10.5.3.6) and (http.request.method==GET or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==443) or (tcp.flags.syn==1 && tcp.flags.ack==0 && tcp.port==22) )'

Regards
Kurt