This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

filter unanswered diameter queries through tshark

0

Hi experts,

While using following filter through wireshark GUI application it gives me desired results i.e. diameter requests that didn't receieve response.

diameter.flags.request == 1 and !diameter.answer_in

But when I tried to execute same filter using tshark -R syntax it simply shows me entire list of diameter request packets irrespective of their answer status.

I want to know how to execute this specific filter using tshark command ?

Thanks in advance !

asked 13 Mar '17, 10:01

Vijay%20Gharge's gravatar image

Vijay Gharge
36151620
accept rate: 0%


One Answer:

1

-R is a read filter option that limits what packets are loaded from the capture, and as such it won't work for filter elements that require a 2nd pass.

In this case use the -Y display filter option that corresponds to the display filter in Wireshark.

answered 13 Mar '17, 10:09

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Wow..that was superfast. Thanks ! I will definitely check this and will confirm. I presume no dependency on tshark version, correct ?

(13 Mar '17, 10:16) Vijay Gharge
1

-Y was added in March 2013, see the bug here.

I leave it as an exercise for the reader to determine what version that was then released in.

(13 Mar '17, 10:28) grahamb ♦