Hill all, I am not sure, if the foolowing issue is a bug or just my fault... I refer to wireshark 2.2.2 and I am almost sure, this probem didn't exist in the 1.8.X releases. Anyway - my problem is this: I want to start wireshark inclusive open a pcap file and apply a display filter. So my syntax looks like this: "path to wireshark"\wireshark.exe -r abc.pcap -Y "display filter" This works great, as long as my display filter doesn't contain the @ character. But as I often work with SIP Call-IDs as a display filter, I need to have the @ in my filter. Previously, it was sufficient to embrace the Call-ID with quotations, for example: wireshark.exe -r input.pcap -Y "sip.Call-ID == "[email protected]"" -w call.pcap But after wireshark has started and opened the input.pcap, it states, that the "@" was unexpected in this context. But when you look at the actual display filter, it looks like this: sip.Call-ID == [email protected] So, obviously, wireshark trimmed the quotations, and therefore the display filter becomes invalid. When I start wireshark with the same syntax, including a display filter without an "@" it works just fine. And it also works, when I start wireshark without any parameter, then open the pcap-file manually and then apply also manually the filter like this: sip.Call-ID == "[email protected]" And by the way: It's the same behavior, when I use tshark instead of wireshark. My question is now: Is it a bug in the current release, or is there another functional way, how to let wireshark start, open a pcap-file, apply a display filter with "@" characters, and save the filtered packets in another pcap-file? Thanks a lot in advance, Josch asked 07 Dec '16, 01:41  Josch |
One Answer:
From the command line you have to quote it correctly, you need to quote the filter expression for the shell (cmd.exe) and the argument (for Wireshark) using either different quote characters or escapes. Using different quote characters (single quotes for the argument containing Using escaping requires 2 additional double quotes to escape one of them giving: Note you now have 4 double quotes at the end of the filter expression, 2 to escape the one for the end of the argument and one to end the expression. answered 07 Dec '16, 03:25  grahamb ♦ Graham, first of all: Thanks a lot for you quick response! I tested both alternatives - and one does the trick! ;-) 1) Using different quote characters didn't work (hoping I typed it in correctly...) I tested it with the followong command: Result: 2) Using the double quotes: This worked fine and the resulting display filter in wireshark was: Thanks again, Josch (07 Dec '16, 03:53) Josch Looks like the first one wasn't typed correctly as it works for me and has been my standard quoting technique for this issue for decades. The ending quotes should be a single quote then a double quote which is hard to differentiate on the screen, i.e. the inner string has single quotes, the entire expression has double quotes. The second one requires more typing and careful typing which is why I don't bother with it. If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information. (07 Dec '16, 04:46) grahamb ♦ |
What OS and shell are you running the commands from?
It was from a "windows 7 enterprise" out of a "cmd.exe" box...