Wireshark mailing list archives

Re: Display like filter without using Wireshark GUI.

From: Guy Harris <guy () alum mit edu>
Date: Sat, 5 Dec 2009 13:52:09 -0800


On Dec 5, 2009, at 11:40 AM, sean bzd wrote:

Probably a dump question


Yes, it's definitely a question about dumps of network traffic, so  
it's a dump question.  It's not a dumb question, however. :-)

but is there a concept of display filter without using wireshark  
GUI? Meaning that I'm capturing traffic using dumpcap using some  
capture filter. Is there a way to filter further (like a display  
filter)


How about a display filter?

        frame contains 04:02:ff:01:32

without loading the .pcap file in the wireshark?


How about using TShark with that filter expression as a "read filter",  
to check whether a given capture file has a packet containing that  
sequence of bytes?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Display like filter without using Wireshark GUI. sean bzd (Dec 05)
- Re: Display like filter without using Wireshark GUI. Guy Harris (Dec 05)