I am trying pass a raw captured file through a tshark display filter to generate a newer smaller file. When I run the following script everything works fine: tshark -R "tcp.port == 80" -r inputfile -w outputfile when I run the following: tshark -R I get the error Read filters were specified both with "-R" and with additional command-line arguments the script displayfilter is I suspect it has to do with escaping the quotes, but for the life of me I can't figure it out. Any help greatly appreciated. asked 24 Jun '11, 09:18  freeat12five |
3 Answers:
You need to quote the output of the command substitution (double-quotes, not single-quotes, so it does the command substitution): answered 24 Jun '11, 14:43  Guy Harris ♦♦ |
I found the issue. In the display filter, I was passing ! through awk, which made it freak out. I escaped it using and that did the trick. answered 25 Jun '11, 09:58 freeat12five |
Using "" (backslash) answered 25 Jun '11, 10:00 freeat12five |
Do you mean
or do you mean
The backquotes are important - if you don't specify them, TShark will see "/path/to/script/displayfilter" as the filter string, but if you do specify them, TShark will see the output of /path/to/script/displayfilter as the filter string.
I do have the back quotes in the script. Thanks for catching my omission above.
Interestingly, tshark in OS X and Ubuntu allows the backquoted string without quotes but silently continues as if no filter were entered (in contrast to the behavior described here). I'd rather have tshark throw an error to notify the user and to have consistency across platforms.
On what OS, and with what shell, did you see
when you did
I recreated the symptom in Cygwin bash.