While creating different flows from pcap file (say trace.pcap) I am using following command tshark -r trace.pcap -T fields -e frame.number -e ip.src -e ip.dst="172.141.90.14" -e tcp.srcport -e frame.len –E separator=, -E header=y It gives an error as::ip.dst is not a valid field. Can anyone help me in tracing this issue. asked 03 Oct '14, 03:38  loneharoon |
2 Answers:
Most likely it does not work because with display filter type syntax you need to use double equals, like
answered 03 Oct '14, 03:40  Jasper ♦♦ |
As Jasper said: "-e" is not for filters it's for fields. So you probably want something like: answered 03 Oct '14, 06:04  JeffMorriss ♦ |
I tried both ways like -e ip.dst=="192.12.3.2" ,and -e "ip.dst==192.12.3.2".
But still it is showing (tshark.exe:3228): WARNING : 'ip.dst==192.12.3.2' isn't a valid field! tshark: Some fields aren't valid
Hm I guess than it is simply not possible to use filter syntax in combination with "-e", because it is just a field designation. If you try using "ip.st" without anything else it should work. In that case you need to filter with a read filter or display filter (by adding a -R or -Y parameter)