Hello Gurus, I am executing the following command in a RH Linux environment (Wireshark 1.6.13 and Red Hat Linux version is 2.6.18-348.12.1.el5.):
I am getting the error message I have pasted below. The command works when I run it on the Windows environment. However since our target environment is Linux, we need it to be working there as well. Is there a different way I need to use the -z switch in a Linux environment?
Please help. asked 30 Apr '14, 14:44 ssh_aix edited 01 May '14, 12:59 JeffMorriss ♦ |
One Answer:
Just to put an Answer to this question: as Kurt said, that option is not available on that older version of Wireshark/tshark. If you need the "follow" functionality you'll need to use the Wireshark GUI (you could cut-n-paste the "follow TCP stream" output into a text file if needed) or do the tshark work on a different system. Unfortunately you can't (easily) get a more modern Wireshark on RHEL5 because the Gtk+ version in RHEL5 is too old to support even Wireshark 1.8. answered 01 May '14, 10:09 JeffMorriss ♦ What version of wireshark is this? We found this on one other RHEL system within the Organization network. It looks to be some VERY old version of wireshark?
(01 May '14, 11:45) ssh_aix Yeah, RHEL ships with Wireshark 1.0. Redhat EL's are all about stability so they generally don't change versions within a RHEL version (e.g., RHEL 5.0 shipped with Wireshark 1.0 so it will forever be stuck with Wireshark 1.0). If you compile your own you could get up to Wireshark 1.6 on these systems (without massive effort) but Kurt thinks that won't help you get the tshark option you want. (01 May '14, 12:58) JeffMorriss ♦
it won't help, because -z follow does not exist in 1.6.x. Actually @zachad mentioned first, that this particular option was added in 1.8.x @ssh_aix: it's probably easier to only record the data on RHEL (with tcpdump or dumpcap) and later analyze it on a system that provides at least wireshark 1.8.x (Windows, Linux, *BSD). (01 May '14, 16:05) Kurt Knochner ♦ |
What version of tshark do you have on Windows, and what version do you have on AIX? I think the "-z follow" command was added in or around tshark 1.8. Run
tshark -v
to get the version information.1.10 in Windows. I am at a client place waiting for him to get the tshark version info. I already asked him that.
Is there any workaround for earlier versions?
Well, then -z follow,tcp is not available on that system.