I am trying to write a tshark read filter to match a wireshark display filter that works fine. However it seems that even using quotation marks (which works in Wireshark), I get a variety of errors, based on the contents. Seems to be the same for both frame contains and tcp.data contains -R frame contains "something=" -R frame contains "2134 error" -R frame contains "txt" returns: not expected in this context -R frame contains "(test" returns: syntaxt error -R frame contains ":text" returns: not valid byte string I am stumped because these work fine to find the strings in wireshark. I have successfully written ones with plain text letters that work fine across both TShark and Wireshark, and all I have changed is the read filter strings. Please advise! asked 22 Jun '11, 15:50  erub edited 22 Jun '11, 15:50 |
One Answer:
On the commandline the whole filter should be one string, ie the whole display filter should be in quotes (or contain no spaces). You might want to try the following: (I believe this does not work on Windows, but I know there are ways on windows, even though I don't know them :-)) answered 22 Jun '11, 16:28  SYN-bit ♦♦ |
I actually found the answer to this question (for windows) in another thread:
frame contains " blah blah error crazy characters #&%#($# " works fine. Thanks for the reply!
(converted your "answer" to a "comment", see the FAQ)