This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Live captures do not support two-pass analysis

0

I'm using this command:

tshark -i wlan0 -I \
        -o wlan.enable_decryption:TRUE \
        -2 -R "ip and !ip.src == 192.168.0.0/24" \
        -T fields -e wlan.ra -e ip.src -e ip.len

Where "and" is actually "&&". This works with tshark v. 1.10, but v. 1.15 says:

Live captures do not support two-pass analysis

So I started to try ostensibly equivalent capture filters, but failed right away -- the ip.src and ip.len fields aren't shown even with just plain -f ip.

How can I get this functionality of v. 1.10 in the newer 1.15?

asked 22 Apr '15, 00:50

mk27's gravatar image

mk27
21337
accept rate: 0%

1.15? Where did you get that version from?

(22 Apr '15, 01:59) grahamb ♦

One Answer:

1

Why the desire for two-pass analysis anyway? Dissecting IP and the IP sources address does not need it, neither does the IP length. So I would suggest skipping the '-2' parameter and check your results.

answered 22 Apr '15, 02:36

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

tshark: -R without -2 is deprecated ...I had thought it plain would not work earlier, so I guess that is fine.

(22 Apr '15, 06:37) mk27

And -Y works. Perhaps I was using a different filter earlier and it did not but I cannot reproduce that now. Sorry for the confusion!

(22 Apr '15, 06:53) mk27