This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Specific IP address display filter using tshark

1

I'm running into issues regarding the use of ip.src as a display filter argument in tshark. The filter works perfectly fine when used with wireshark, I'm not sure if I'm missing something for it's use with tshark though.

In wireshark: ip.src==192.168.0.10

tshark: tshark -r example.pcap -T fields -e frame.time -e ip.src==192.168.0.10 http or http2

The tshark command works fine when just using ip.src to filter the source IP addresses(tshark -r example.pcap -T fields -e frame.time -e ip.src http or http2), it's only when used in order to filter a specific IP address.

I've also tried: tshark -r example.pcap -T fields -e frame.time -e ip.src==192.168.0.0/24 http or http2

Thanks.

asked 27 Aug '15, 13:11

tbm's gravatar image

tbm
29116
accept rate: 0%

edited 27 Aug '15, 13:11

One Answer:

2

You can't apply a filter to a -e field output specification, in addition to supply a display filter you must use the -Y option

To print out the ip.src field and filter for ip.src you need something like (untested):

... -e ip.src -Y "ip.src == 192.168.0.10 and (http or http2)"

answered 27 Aug '15, 13:55

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks! Works perfectly!

(27 Aug '15, 14:18) tbm