I am trying to use tshark to capture all udp packets that do not contain 0xFFFFFFFF or 0xD5D5D5. The capture filter I have defined is as follows: Can anyone work out where (if anywhere) I have gone wrong with the capture filter? asked 15 Feb '15, 11:11  time2innov8 |
One Answer:
Display filter and capture filter are two different filter systems. Capture filters are optimized for high speed filtering while capturing frames, while display filters can filter on much more complicated things. Display filters are not time critical, so it doesn't matter how complex the filtering process is. "frame contains" searches for the pattern in the whole frame. Your tshark filter basically requires that certain patterns do not appear at the offsets you specify, which is much more specific - the pattern must be at a very specific position or the filter won't apply. answered 15 Feb '15, 11:48  Jasper ♦♦ |
The packets transmitted that are to be discarded have the required bytes in the specified positions. The only error may be in the slicing [17:4] however I am using a modifed version from one listed in the tshark documentation so don't think that's the issue. Can anyone confirm that the syntax of the supplied capture and display filters are performing the same function?