Wireshark mailing list archives
Re: Tshark Tcap filtering
From: Jeff Morriss <jeff.morriss.ws () gmail com>
Date: Tue, 20 Sep 2011 10:14:58 -0400
Erdinç Taşkın wrote:
Hello,I have a problem about filtering from pcap file. I got a capture file that created by tcpdump. I use filter criteria that "(tcap.tid == 01:5e:00:00) || (tcap.tid == 53:d0:90:96)" on wireshark found packet. On same capture file, using tshark (exact command "/tshark -R "(tcap.tid == 01:5e:00:00) || (tcap.tid == 53:d0:90:96)" -r test.pcap") does not match any packet. What is wrong?
What version are you using? It works fine for me using the current trunk (which would probably be equivalent to 1.6.2 for this test).
If you run tshark without the read filter and with "-V" do you see the TCAP part, in particular the TIDs?
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Tshark Tcap filtering Erdinç Taşkın (Sep 20)
- Re: Tshark Tcap filtering Jeff Morriss (Sep 20)
- merged capture file filtering Malcolm Herbert (Sep 20)
- Re: merged capture file filtering Malcolm Herbert (Sep 21)
- Re: Tshark Tcap filtering Erdinç Taşkın (Sep 23)
- merged capture file filtering Malcolm Herbert (Sep 20)
- Re: Tshark Tcap filtering Jeff Morriss (Sep 20)