This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark display filter

0

I'm using tshark extract smb.file information from a capture file. I have verified the the requested information is in the file using this wireshark filter:

smb.file == "\\EVS_LowRes\\20141009 MLB TESTING_4.dv"

However when using the following tshark filter I get no result:

tshark -Y "smb.file == \"\EVS_LowRes\20141009 MLB TESTING_4.dv"\" -r SharingViolation.trc

can someone please provide some insight…

Thanks

asked 11 Oct '14, 12:39

dblk's gravatar image

dblk
11113
accept rate: 0%

One Answer:

2

What happens if you use the filter

tshark -Y "smb.file == \"\\\\EVS_LowRes\20141009 MLB TESTING_4.dv"\" -r SharingViolation.trc

or

tshark -Y "smb.file == \"\\EVS_LowRes\20141009 MLB TESTING_4.dv"\" -r SharingViolation.trc

answered 11 Oct '14, 12:43

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Guy thanks for the insight. Below is what worked:

\"\\\EVS_LowRes\\\20141009 MLB TESTING_4.dv"\" -r SharingViolation.trc
(11 Oct '14, 12:50) dblk

Was this done with a Windows command line or a UN*X command line? The one with four backslashes might be required on UN*X.

(11 Oct '14, 12:57) Guy Harris ♦♦

It was done in mac os x terminal

(11 Oct '14, 13:44) dblk