This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark error - invalid -z argument

0

Hello Gurus,

I am executing the following command in a RH Linux environment (Wireshark 1.6.13 and Red Hat Linux version is 2.6.18-348.12.1.el5.):

tshark -T fields -r ../P8Stress/WS1-WF-FL\@2014-02-21_08-00_8-05.pcap -q -z "follow,tcp,ascii,0"

I am getting the error message I have pasted below. The command works when I run it on the Windows environment. However since our target environment is Linux, we need it to be working there as well. Is there a different way I need to use the -z switch in a Linux environment?

tshark: invalid -z argument.
  -z argument must be one of :
     afp,srt
     ancp,tree
     ansi_a,
     bacapp_instanceid,tree
     bacapp_ip,tree
     bacapp_objectid,tree
     bacapp_service,tree
     bootp,stat,
     camel,counter
     camel,srt
     collectd,tree
     compare,
     conv,
     dcerpc,srt,
     dests,tree
     diameter,avp
     gsm_a,
     h225,counter
     h225,srt
     hosts
     http,stat,
     http,tree
     http_req,tree
     http_srv,tree
     icmp,srt
     icmpv6,srt
     io,phs
     io,stat,
     ip_hosts,tree
     isup_msg,tree
     megaco,rtd
     mgcp,rtd
     plen,tree
     proto,colinfo,
     ptype,tree
     radius,rtd
     rpc,programs
     rpc,srt,
     rtp,streams
     sametime,tree
     scsi,srt,
     sctp,stat
     sip,stat
     smb,sids
     smb,srt
     smpp_commands,tree
     sv
     ucp_messages,tree
     wsp,stat,

Please help.

asked 30 Apr '14, 14:44

ssh_aix's gravatar image

ssh_aix
1112
accept rate: 0%

edited 01 May '14, 12:59

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572

What version of tshark do you have on Windows, and what version do you have on AIX? I think the "-z follow" command was added in or around tshark 1.8. Run tshark -v to get the version information.

(30 Apr '14, 14:47) zachad

1.10 in Windows. I am at a client place waiting for him to get the tshark version info. I already asked him that.

Is there any workaround for earlier versions?

(30 Apr '14, 14:49) ssh_aix

Well, then -z follow,tcp is not available on that system.

(01 May '14, 07:20) Kurt Knochner ♦

One Answer:

1

Just to put an Answer to this question: as Kurt said, that option is not available on that older version of Wireshark/tshark. If you need the "follow" functionality you'll need to use the Wireshark GUI (you could cut-n-paste the "follow TCP stream" output into a text file if needed) or do the tshark work on a different system.

Unfortunately you can't (easily) get a more modern Wireshark on RHEL5 because the Gtk+ version in RHEL5 is too old to support even Wireshark 1.8.

answered 01 May '14, 10:09

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

What version of wireshark is this? We found this on one other RHEL system within the Organization network. It looks to be some VERY old version of wireshark?

[[email protected] ~]# rpm -qa |grep wireshark

wireshark-1.0.15-5.el5.x86_64

(01 May '14, 11:45) ssh_aix

Yeah, RHEL ships with Wireshark 1.0. Redhat EL's are all about stability so they generally don't change versions within a RHEL version (e.g., RHEL 5.0 shipped with Wireshark 1.0 so it will forever be stuck with Wireshark 1.0).

If you compile your own you could get up to Wireshark 1.6 on these systems (without massive effort) but Kurt thinks that won't help you get the tshark option you want.

(01 May '14, 12:58) JeffMorriss ♦

but Kurt thinks that won't help you get the tshark option you want.

it won't help, because -z follow does not exist in 1.6.x. Actually @zachad mentioned first, that this particular option was added in 1.8.x

@ssh_aix: it's probably easier to only record the data on RHEL (with tcpdump or dumpcap) and later analyze it on a system that provides at least wireshark 1.8.x (Windows, Linux, *BSD).

(01 May '14, 16:05) Kurt Knochner ♦