Wireshark mailing list archives

Re: Tshark Tcap filtering

From: Erdinç Taşkın <erdinctaskin () gmail com>
Date: Fri, 23 Sep 2011 11:38:48 +0300

Thanks Jeff for your comments, my wireshark is pretty old version. I wil try
with newest version.




2011/9/20 Jeff Morriss <jeff.morriss.ws () gmail com>

Erdinç Taşkın wrote:

Hello,

I have a problem about filtering from pcap file. I got a capture file that
created by tcpdump. I use filter criteria that "(tcap.tid == 01:5e:00:00) ||
(tcap.tid == 53:d0:90:96)" on wireshark found packet. On same capture file,
using tshark (exact command "/tshark -R "(tcap.tid == 01:5e:00:00) ||
(tcap.tid == 53:d0:90:96)" -r test.pcap") does not match any packet. What is
wrong?


What version are you using?  It works fine for me using the current trunk
(which would probably be equivalent to 1.6.2 for this test).

If you run tshark without the read filter and with "-V" do you see the TCAP
part, in particular the TIDs?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
           mailto:wireshark-users-request () wireshark org
?subject=unsubscribe





-- 
Erdinç Taşkın
erdinctaskin.blogspot.com

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Tshark Tcap filtering Erdinç Taşkın (Sep 20)
- Re: Tshark Tcap filtering Jeff Morriss (Sep 20)
  - merged capture file filtering Malcolm Herbert (Sep 20)
    - Re: merged capture file filtering Malcolm Herbert (Sep 21)
  - Re: Tshark Tcap filtering Erdinç Taşkın (Sep 23)