This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark display filter in windows command-line seems not support special characters

0

I wrote a tshark display filter as this:

http.request.uri contains "search?q".

It works fine in wireshark with gui in windows. However I get a variety of errors in windows comand-line tshark, like this:

D:\>tshark -r http.pcap -R "http.request.uri contains search?q"
tshark: "?" was unexpected in this context.

D:>tshark -r http.pcap -R 'http.request.uri contains "search?q"'
tshark: Read filters were specified both with "-R" and with additional command-line arguments

When I remove the “?” from the string, the tshark can print the outcome, but it wasn’t the result I want because it prints too much content. I just want the last message from the following list of messages:

D:>tshark -r http.pcap -R "http.request.uri contains search"
5   0.464031 192.168.20.171 -> 74.125.53.139 HTTP 676 GET /complete/search?client=chrome&hl=zh-CN&q=http%3A%2F%2Fbing.com.cn HTTP/1.1
62   2.329645 192.168.20.171 -> 74.125.71.105 HTTP 787 GET /url?sa=p&hl=zh-CN&pref=hkredirect&pval=yes&q=http://www.google.com.hk/searchdomaincheck%3Fformat%3Ddomain%26type%3Dchrome&ust=1305691041473287&usg=AFQjCNGPbHPEXHcOxDHu2X0Q3r92XfkD7w HTTP/1.1
65   2.465906 192.168.20.171 -> 74.125.71.105 HTTP 649 GET /searchdomaincheck?format=domain&type=chrome HTTP/1.1
249  10.925213 192.168.20.171 -> 125.252.224.82 HTTP 862 GET /search?q=%E5%BF%85%E5%BA%94&go=&form=QBLH&qs=n&sk= HTTP/1.1

It seems that the tshark diplay filter doesn’t support the special characters like “?”, “=”. Is there any method that I can include those characters in the display filter?

asked 25 Jul ‘11, 23:14

calcel's gravatar image

calcel
1112
accept rate: 0%

edited 27 Jul ‘11, 15:41

helloworld's gravatar image

helloworld
3.1k42041

What is the error message you receive?

(26 Jul ‘11, 00:48) multipleinte…

One Answer:

3

In windows you have to use double double-quotes to escape the double-quote. The syntax will be:

C:\Download>tshark -r http.cap -R "http.request.uri contains ""search?d"""
 31 7.071765000 192.168.20.10 -> 67.228.110.120 HTTP 589 GET /search?d HTTP/1.1

C:\Download>tshark -r http.cap -R "http.request.uri contains ""search"""
31 7.071765000 192.168.20.10 -> 67.228.110.120 HTTP 589 GET /search?d HTTP/1.1
163 19.888136000 192.168.20.10 -> 67.228.110.120 HTTP 587 GET /search HTTP/1.1


C:\Download>

Hope this helps :-)

answered 26 Jul ‘11, 01:58

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks a lot. It does solve the problem.

(26 Jul ‘11, 18:33) calcel