This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Display filters sometimes fail to deliver in tshark

0

Hi, Testing some display filters for my home WLAN in tshark. Have noticed that quite a few of them don't work for me. As an example, if I capture one single beacon packet to test on and apply a filter like this:

tshark -r myfile.pcap -R "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth

it doesn't show anything. But if I check the exact same packet in Wireshark the parameter is visible there.

Am I doing something wrong with my tshark filter? Some filters work and some don't.

Thanks.

Regards, Sam

asked 06 Mar '15, 20:57

SamA's gravatar image

SamA
117713
accept rate: 0%

Hi Pascal, Thanks, but it doesn't solve my problem. I think I understand what you try to do, but I have no problem listing multiple fields with the -R switch. I can list 3-4 columns with info if I want by just adding more -e <field> values.

It's just that the filter mentioned (and quite a few other filters) don't give any output in tshark. But if I check in Wireshark I find all the fields there.

(07 Mar '15, 10:43) SamA
1

Could you please share the capture? There is absolutely no reason that a field available in Wireshark is not present in tshark, especially if you use the 2 pass option (-2). Note that your initial command line is not correct when you use a single pass, as explained in the man page

(07 Mar '15, 13:57) Pascal Quantin

Hi Pascal, You were right. Got it working finally after doing as you suggested. Thanks!

(08 Mar '15, 19:05) SamA

One Answer:

1

Assuming that you use tshark 1.12.x, did you give a try to

tshark -r myfile.pcap -Y "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth

? Alternatively you could try

tshark -r myfile.pcap -2R "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth

See https://www.wireshark.org/docs/man-pages/tshark.html for an explanation of the difference between -R and -Y

answered 06 Mar '15, 22:24

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%