This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using a variable as a Display Filter

1

I am trying pass a raw captured file through a tshark display filter to generate a newer smaller file. When I run the following script everything works fine:

tshark -R "tcp.port == 80" -r inputfile -w outputfile

when I run the following:

tshark -R /path/to/script/displayfilter -r inputfile -w outputfile

I get the error Read filters were specified both with "-R" and with additional command-line arguments

the script displayfilter is
#!/bin/sh
echo "tcp.port == 80"

I suspect it has to do with escaping the quotes, but for the life of me I can't figure it out. Any help greatly appreciated.

asked 24 Jun '11, 09:18

freeat12five's gravatar image

freeat12five
21114
accept rate: 0%

Do you mean

tshark -R /path/to/script/displayfilter -r inputfile -w outputfile

or do you mean

tshark -R `/path/to/script/displayfilter` -r inputfile -w outputfile

The backquotes are important - if you don't specify them, TShark will see "/path/to/script/displayfilter" as the filter string, but if you do specify them, TShark will see the output of /path/to/script/displayfilter as the filter string.

(24 Jun '11, 11:23) Guy Harris ♦♦

I do have the back quotes in the script. Thanks for catching my omission above.

(24 Jun '11, 14:37) freeat12five

Interestingly, tshark in OS X and Ubuntu allows the backquoted string without quotes but silently continues as if no filter were entered (in contrast to the behavior described here). I'd rather have tshark throw an error to notify the user and to have consistency across platforms.

(24 Jun '11, 16:51) helloworld

On what OS, and with what shell, did you see

Read filters were specified both with "-R" and with additional command-line arguments

when you did

tshark -R `/path/to/script/displayfilter` -r inputfile -w outputfile
(25 Jun '11, 02:28) Guy Harris ♦♦

I recreated the symptom in Cygwin bash.

(28 Jun '11, 08:01) bstn

3 Answers:

2

You need to quote the output of the command substitution (double-quotes, not single-quotes, so it does the command substitution):

tshark -R "`/path/to/script/displayfilter`" -r inputfile -w outputfile

answered 24 Jun '11, 14:43

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

I found the issue. In the display filter, I was passing ! through awk, which made it freak out. I escaped it using and that did the trick.

answered 25 Jun '11, 09:58

freeat12five's gravatar image

freeat12five
21114
accept rate: 0%

0

Using "" (backslash)

answered 25 Jun '11, 10:00

freeat12five's gravatar image

freeat12five
21114
accept rate: 0%