This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Display filter in tshark

0

While creating different flows from pcap file (say trace.pcap) I am using following command

tshark -r trace.pcap -T fields -e frame.number -e ip.src -e ip.dst="172.141.90.14" -e tcp.srcport -e frame.len –E separator=, -E header=y

It gives an error as::ip.dst is not a valid field. Can anyone help me in tracing this issue.

asked 03 Oct '14, 03:38

loneharoon's gravatar image

loneharoon
1111
accept rate: 0%


2 Answers:

0

Most likely it does not work because with display filter type syntax you need to use double equals, like

-e ip.dst=="172.141.90.14"

answered 03 Oct '14, 03:40

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I tried both ways like -e ip.dst=="192.12.3.2" ,and -e "ip.dst==192.12.3.2".

But still it is showing (tshark.exe:3228): WARNING : 'ip.dst==192.12.3.2' isn't a valid field! tshark: Some fields aren't valid

(03 Oct '14, 04:11) loneharoon

Hm I guess than it is simply not possible to use filter syntax in combination with "-e", because it is just a field designation. If you try using "ip.st" without anything else it should work. In that case you need to filter with a read filter or display filter (by adding a -R or -Y parameter)

(03 Oct '14, 04:20) Jasper ♦♦

0

As Jasper said: "-e" is not for filters it's for fields. So you probably want something like:

tshark -r trace.pcap -T fields -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e frame.len –E separator=, -E header=y -Yip.dst="172.141.90.14"

answered 03 Oct '14, 06:04

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%