Hi, Testing some display filters for my home WLAN in tshark. Have noticed that quite a few of them don't work for me. As an example, if I capture one single beacon packet to test on and apply a filter like this: tshark -r myfile.pcap -R "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth it doesn't show anything. But if I check the exact same packet in Wireshark the parameter is visible there. Am I doing something wrong with my tshark filter? Some filters work and some don't. Thanks. Regards, Sam asked 06 Mar '15, 20:57 SamA |
One Answer:
Assuming that you use tshark 1.12.x, did you give a try to tshark -r myfile.pcap -Y "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth ? Alternatively you could try tshark -r myfile.pcap -2R "wlan.da==ff:ff:ff:ff:ff:ff" -T fields -e wlan_mgt.fixed.chanwidth See https://www.wireshark.org/docs/man-pages/tshark.html for an explanation of the difference between -R and -Y answered 06 Mar '15, 22:24 Pascal Quantin |
Hi Pascal, Thanks, but it doesn't solve my problem. I think I understand what you try to do, but I have no problem listing multiple fields with the -R switch. I can list 3-4 columns with info if I want by just adding more -e <field> values.
It's just that the filter mentioned (and quite a few other filters) don't give any output in tshark. But if I check in Wireshark I find all the fields there.
Could you please share the capture? There is absolutely no reason that a field available in Wireshark is not present in tshark, especially if you use the 2 pass option (-2). Note that your initial command line is not correct when you use a single pass, as explained in the man page
Hi Pascal, You were right. Got it working finally after doing as you suggested. Thanks!