This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark display filter in windows command-line seems not support special characters

0

I wrote a tshark display filter as this: 

http.request.uri contains "search?q".

It works fine in wireshark with gui in windows. However I get a variety of errors in windows comand-line tshark, like this:

D:\>tshark -r http.pcap -R "http.request.uri contains search?q"
tshark: "?" was unexpected in this context.

D:\>tshark -r http.pcap -R 'http.request.uri contains "search?q"'
tshark: Read filters were specified both with "-R" and with additional command-line arguments

When I remove the "?" from the string, the tshark can print the outcome, but it wasn't the result I want because it prints too much content. I just want the last message from the following list of messages: 

D:\>tshark -r http.pcap -R "http.request.uri contains search"
  5   0.464031 192.168.20.171 -> 74.125.53.139 HTTP 676 GET /complete/search?client=chrome&hl=zh-CN&q=http%3A%2F%2Fbing.com.cn HTTP/1.1
 62   2.329645 192.168.20.171 -> 74.125.71.105 HTTP 787 GET /url?sa=p&hl=zh-CN&pref=hkredirect&pval=yes&q=http://www.google.com.hk/searchdomaincheck%3Fformat%3Ddomain%26type%3Dchrome&ust=1305691041473287&usg=AFQjCNGPbHPEXHcOxDHu2X0Q3r92XfkD7w HTTP/1.1
 65   2.465906 192.168.20.171 -> 74.125.71.105 HTTP 649 GET /searchdomaincheck?format=domain&type=chrome HTTP/1.1
249  10.925213 192.168.20.171 -> 125.252.224.82 HTTP 862 GET /search?q=%E5%BF%85%E5%BA%94&go=&form=QBLH&qs=n&sk= HTTP/1.1

It seems that the tshark diplay filter doesn't support the special characters like "?", "=". Is there any method that I can include those characters in the display filter?

asked 25 Jul '11, 23:14

calcel's gravatar image

calcel
1112
accept rate: 0%

edited 27 Jul '11, 15:41

helloworld's gravatar image

helloworld
3.1k42041

What is the error message you receive?

(26 Jul '11, 00:48) multipleinte...
One Answer:
active answersoldest answersnewest answerspopular answers
3

In windows you have to use double double-quotes to escape the double-quote. The syntax will be:

C:\Download>tshark -r http.cap -R "http.request.uri contains ""search?d"""
 31 7.071765000 192.168.20.10 -> 67.228.110.120 HTTP 589 GET /search?d HTTP/1.1

C:\Download>tshark -r http.cap -R "http.request.uri contains ""search"""
 31 7.071765000 192.168.20.10 -> 67.228.110.120 HTTP 589 GET /search?d HTTP/1.1
163 19.888136000 192.168.20.10 -> 67.228.110.120 HTTP 587 GET /search HTTP/1.1

C:\Download>

Hope this helps :-)

permanent link

answered 26 Jul '11, 01:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks a lot. It does solve the problem.

(26 Jul '11, 18:33) calcel
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×254
×165

question asked: 25 Jul '11, 23:14

question was seen: 9,569 times

last updated: 27 Jul '11, 15:41

Related questions

tshark output and ldap.response_in

Throughput calculation

Filtering by mac is not working.

Display filters sometimes fail to deliver in tshark

tshark ssh.host_key.data display filter

Filtering TShark output to only capture decrypted hexadecimal

Retrieving Physical Layer Data Only

Converting a wireshark pcap file to a windows txt file that contains field=value data.

is there tshark in windows?

tshark display filter not working while writing pakets to an outfile

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A