This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, Testing some display filters for my home WLAN in tshark. Have noticed that quite a few of them don't work for me. As an example, if I capture one single beacon packet to test on and apply a filter like this:

tshark -r myfile.pcap -R "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth

it doesn't show anything. But if I check the exact same packet in Wireshark the parameter is visible there.

Am I doing something wrong with my tshark filter? Some filters work and some don't.

Thanks.

Regards, Sam

asked 06 Mar '15, 20:57

SamA's gravatar image

SamA
117713
accept rate: 0%

Hi Pascal, Thanks, but it doesn't solve my problem. I think I understand what you try to do, but I have no problem listing multiple fields with the -R switch. I can list 3-4 columns with info if I want by just adding more -e <field> values.

It's just that the filter mentioned (and quite a few other filters) don't give any output in tshark. But if I check in Wireshark I find all the fields there.

(07 Mar '15, 10:43) SamA
1

Could you please share the capture? There is absolutely no reason that a field available in Wireshark is not present in tshark, especially if you use the 2 pass option (-2). Note that your initial command line is not correct when you use a single pass, as explained in the man page

(07 Mar '15, 13:57) Pascal Quantin

Hi Pascal, You were right. Got it working finally after doing as you suggested. Thanks!

(08 Mar '15, 19:05) SamA

Assuming that you use tshark 1.12.x, did you give a try to

tshark -r myfile.pcap -Y "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth

? Alternatively you could try

tshark -r myfile.pcap -2R "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth

See https://www.wireshark.org/docs/man-pages/tshark.html for an explanation of the difference between -R and -Y

permanent link

answered 06 Mar '15, 22:24

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×165

question asked: 06 Mar '15, 20:57

question was seen: 1,773 times

last updated: 09 Mar '15, 08:10

p​o​w​e​r​e​d by O​S​Q​A