This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TSHARK ADVANCED FILTER

0

Hi, I have a very huge trace file, how can I filter on TSHARK the next data.

expert.message == "Duplicate ACK (#1)" || expert.message == "Duplicate ACK (#2)" || expert.message == "Duplicate ACK (#3)" || expert.message == "Duplicate ACK (#4)"

I would like to do it with tshark because this trace file is so large to open it with wireshark and It will be paintfull to split the file and open one by one and apply the filter on Wireshark I can't find any reference about filter expert.messages or something like that.

Thanks

asked 10 Nov '11, 11:04

l0k1's gravatar image

l0k1
6113
accept rate: 0%


One Answer:

1

You can use tshark's -R argument to apply a display filter to the file.

tshark -r <infile.cap> -R 'expert.message == "Duplicate ACK (#1)" || expert.message == "Duplicate ACK (#2)"'

You will have to be careful about are the single vs. double quotes. If you use -R ' <filter> ' (single quotes around the whole thing) and then use " (double quotes) inside <filter> you should be all set.

answered 10 Nov '11, 11:25

zachad's gravatar image

zachad
331149
accept rate: 21%

Dude,,, awsome. It works like a charm

Thanks

Daniel Castillo

(10 Nov '11, 11:32) l0k1