I am using tshark and mergecap to filter and merge a lot of PCAP files into one file for analysis. I have two problems that I can't solve. 1: With tshark, I cannot apply a filter to just the UDP source port. The data has a port that is the same on the source and destination side, so some criteria just pass all data by. Is there a workaround? 2: It seems that after I run tshark, my global header gets modified. I am most concerned about the link type being changed from my application specific type to a maxed out hex field. Is there an option to fix this? My batch script calls tshark as follows: asked 05 Aug '14, 11:24  okayh |
One Answer:
Replace udp.port by udp.srcport. Not sure to understand what you mean regarding the header content. answered 05 Aug '14, 12:25  Pascal Quantin |
