This is a static archive of our old Q&A Site. Please post any new questions and answers at

tshark: Using filter expression as field ?



I would like to distinguish frames from the tshark output, see this failed attemp :

tshark -r mydump-20141015-185000.dump  -Y "frame contains a or frame contains b" -T fields -e frame.time -e "frame contains a" -e "frame contains b"

I would like next output:

time1 0 1 # not comtains a and contains b
time2 1 1 # contains a and contains b
time3 1 0 # contains a and not contains b

Thank you very much ! Does tshark have such capabilitie ?

Un saludo

asked 15 Oct '14, 11:53

i5513's gravatar image

accept rate: 0%

edited 15 Oct '14, 17:28

Guy%20Harris's gravatar image

Guy Harris ♦♦

One Answer:


No, -e currently supports only fields, not arbitrary filter expressions. File an enhancement request at the Wireshark bugzilla if you'd like to see a capability such as this added.

answered 15 Oct '14, 17:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
accept rate: 19%

(16 Oct '14, 09:20) i5513