This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark display filter in windows command-line seems not support special characters

0

I wrote a tshark display filter as this: 

http.request.uri contains "search?q".

It works fine in wireshark with gui in windows. However I get a variety of errors in windows comand-line tshark, like this:

D:\>tshark -r http.pcap -R "http.request.uri contains search?q"
tshark: "?" was unexpected in this context.

D:\>tshark -r http.pcap -R 'http.request.uri contains "search?q"'
tshark: Read filters were specified both with "-R" and with additional command-line arguments

When I remove the "?" from the string, the tshark can print the outcome, but it wasn't the result I want because it prints too much content. I just want the last message from the following list of messages: 

D:\>tshark -r http.pcap -R "http.request.uri contains search"
  5   0.464031 192.168.20.171 -> 74.125.53.139 HTTP 676 GET /complete/search?client=chrome&hl=zh-CN&q=http%3A%2F%2Fbing.com.cn HTTP/1.1
 62   2.329645 192.168.20.171 -> 74.125.71.105 HTTP 787 GET /url?sa=p&hl=zh-CN&pref=hkredirect&pval=yes&q=http://www.google.com.hk/searchdomaincheck%3Fformat%3Ddomain%26type%3Dchrome&ust=1305691041473287&usg=AFQjCNGPbHPEXHcOxDHu2X0Q3r92XfkD7w HTTP/1.1
 65   2.465906 192.168.20.171 -> 74.125.71.105 HTTP 649 GET /searchdomaincheck?format=domain&type=chrome HTTP/1.1
249  10.925213 192.168.20.171 -> 125.252.224.82 HTTP 862 GET /search?q=%E5%BF%85%E5%BA%94&go=&form=QBLH&qs=n&sk= HTTP/1.1

It seems that the tshark diplay filter doesn't support the special characters like "?", "=". Is there any method that I can include those characters in the display filter?

asked 25 Jul '11, 23:14

calcel's gravatar image

calcel
1112
accept rate: 0%

edited 27 Jul '11, 15:41

helloworld's gravatar image

helloworld
3.1k42041

What is the error message you receive?

(26 Jul '11, 00:48) multipleinte...
One Answer:
active answersoldest answersnewest answerspopular answers
3

In windows you have to use double double-quotes to escape the double-quote. The syntax will be:

C:\Download>tshark -r http.cap -R "http.request.uri contains ""search?d"""
 31 7.071765000 192.168.20.10 -> 67.228.110.120 HTTP 589 GET /search?d HTTP/1.1

C:\Download>tshark -r http.cap -R "http.request.uri contains ""search"""
 31 7.071765000 192.168.20.10 -> 67.228.110.120 HTTP 589 GET /search?d HTTP/1.1
163 19.888136000 192.168.20.10 -> 67.228.110.120 HTTP 587 GET /search HTTP/1.1

C:\Download>

Hope this helps :-)

permanent link

answered 26 Jul '11, 01:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks a lot. It does solve the problem.

(26 Jul '11, 18:33) calcel
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×254
×165

question asked: 25 Jul '11, 23:14

question was seen: 9,085 times

last updated: 27 Jul '11, 15:41

Related questions

tshark output and ldap.response_in

Throughput calculation

Filtering by mac is not working.

Display filters sometimes fail to deliver in tshark

tshark ssh.host_key.data display filter

Converting a wireshark pcap file to a windows txt file that contains field=value data.

Filtering TShark output to only capture decrypted hexadecimal

Retrieving Physical Layer Data Only

tshark display filter not working while writing pakets to an outfile

is there tshark in windows?

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A