This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I'm using this command:

tshark -i wlan0 -I \
        -o wlan.enable_decryption:TRUE \
        -2 -R "ip and !ip.src == 192.168.0.0/24" \
        -T fields -e wlan.ra -e ip.src -e ip.len

Where "and" is actually "&&". This works with tshark v. 1.10, but v. 1.15 says:

Live captures do not support two-pass analysis

So I started to try ostensibly equivalent capture filters, but failed right away -- the ip.src and ip.len fields aren't shown even with just plain -f ip.

How can I get this functionality of v. 1.10 in the newer 1.15?

asked 22 Apr '15, 00:50

mk27's gravatar image

mk27
21337
accept rate: 0%

1.15? Where did you get that version from?

(22 Apr '15, 01:59) grahamb ♦

Why the desire for two-pass analysis anyway? Dissecting IP and the IP sources address does not need it, neither does the IP length. So I would suggest skipping the '-2' parameter and check your results.

permanent link

answered 22 Apr '15, 02:36

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

tshark: -R without -2 is deprecated ...I had thought it plain would not work earlier, so I guess that is fine.

(22 Apr '15, 06:37) mk27

And -Y works. Perhaps I was using a different filter earlier and it did not but I cannot reproduce that now. Sorry for the confusion!

(22 Apr '15, 06:53) mk27
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×184
×165

question asked: 22 Apr '15, 00:50

question was seen: 3,098 times

last updated: 22 Apr '15, 06:53

p​o​w​e​r​e​d by O​S​Q​A