This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Blank output when applying reading filter

0

My ncap file is displayed properly without any filter

tshark -r myfile.ncap
1 0.000000 ArrisGro_16:a0:14 → AskeyCom_9a:2b:a1 802.11 400 QoS Data, SN=2900, FN=0,
2 0.000234 ArrisGro_16:a0:14 → AskeyCom_9a:2b:a1 802.11 400 QoS Data, SN=2900, FN=0, 
[...]

However, when applying a filter, tshark does not output any line:

tshark -r myfile.ncap -Y eth.addr_resolved==ArrisGro_16:a0:14

Why is there no output when I apply the filter?

asked 31 Oct '16, 12:11

user31415's gravatar image

user31415
26569
accept rate: 0%

One Answer:

0

Why is there no output when I apply the filter?

Because there is no eth field in your wlan (802.11) frames, and thus no frame can match the display filter expression.

Use tshark -r myfile.ncap -Y wlan.addr_resolved==ArrisGro_16:a0:14 instead.

answered 01 Nov '16, 01:59

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%