This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark display filter not working while writing pakets to an outfile

0

Hey everyone,

i have a little problem with capturing packets and write the raw data to an output file while using display filters. Here an short example:

"tshark -i eth5 -R imap -w test.pcap" When watching at the contents with "tshark -r test.pcap" following comes out:

`TIME SRC-IP -> DST-IP TCP 56776 > 50143 [ACK] Seq=416 Ack=782 Win=7504 Len=0 TSV=1012820827 TSER=186804250 7504

TIME SRC-IP -> DST-IP TCP 49360 > 143 [ACK] Seq=101 Ack=919 Win=32762 Len=0 TSV=840349364 TSER=1012820794 32762

TIME SRC-IP -> DST-IP IMAP Response: 4 OK STORE complete 6432

TIME SRC-IP -> DST-IP IMAP Response: * BYE session timeout 6432`

As you can see, the display filter is not applied. When opening it with "tshark -r test.pcap R imap" output is like: `

TIME SRC-IP -> DST-IP IMAP Response: 4 OK STORE complete 6432

TIME SRC-IP -> DST-IP IMAP Response: * BYE session timeout 6432 `

Exectly that is, what should be written to the file, nothing more, only the parts with the decoded IMAP stack. Can anyone explain me what I did wrong and how to solve that issue?

Thank in advance Sascha

asked 05 Oct '10, 08:04

Sascha's gravatar image

Sascha
6223
accept rate: 100%


3 Answers:

1

Which version are you using? There is a known bug relating to using "-R" with captures in version 1.4.0.

"Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)"

To see the "Known Bugs" list, read the news.txt file in the Wireshark program files directory.

Suggestion: You can capture the packets to a file first (use your -w test.pcap) and then use the -r test.pcap -R testfiltered.pcap method however. Not as graceful, but "doable."

answered 05 Oct '10, 09:33

lchappell's gravatar image

lchappell ♦
1.2k2730
accept rate: 8%

Definitely in sync :-)

(05 Oct '10, 09:35) SYN-bit ♦♦

Owe u an email - been loopy on drugs for a back problem - touch base with you later today!

(05 Oct '10, 14:12) lchappell ♦

Thanks for your hints to the known bug list, dont know why i didnt look there before, maybe because its still mentioned in the man page.

As this bug seems to be still persistent in actual version, I compiled and now use the latest versions where writing to disk with display filters was known to work correctly (0.99.6), because data amount is too high to do any post-processing for all captures. For all other work (viewing, analysing, writing to disk only with capture filters) an up to date version is used.

Again, thanks for your help.

(06 Oct '10, 04:22) Sascha

1

From the release notes:

Filtering tshark captures with display filters (-R) no longer works. (Bug 2234)

In short, while capturing with tshark and writing to disk, display filters will not work. This needs to be fixed, but is rather difficult to fix.

answered 05 Oct '10, 09:30

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

We must be in sync today, Sake! <g>

(05 Oct '10, 09:34) lchappell ♦

0

tshark Read filters aren't supported when capturing and saving the captured packets.

answered 16 Jun '12, 00:52

DavidMeng's gravatar image

DavidMeng
11
accept rate: 0%