Wireshark mailing list archives

Re: absolute frame number in capture with -R ?

From: Evan Huus <eapache () gmail com>
Date: Mon, 28 Apr 2014 07:39:53 -0400

On Mon, Apr 28, 2014 at 1:29 AM, Mathias Koerber <mathias () koerber org> wrote:


I have a rather large pcap file I am trying to extract
relevant frames from using tshark.

using

# tshark -2 -n -r infile -R '(filter)' -T fields -e frame.number

yields frame-numbers starting from 1 anr continuously increasing.
So apparently this counts the frames that matched the display filter.

I would like to print the actual frame-number from the input file,
so that I can later find the frames in their original context.

How to do that?


If you're using tshark 1.10 or later, use the -Y 'filter' flag instead
of -R 'filter'.

Evan
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

absolute frame number in capture with -R ? Mathias Koerber (Apr 27)
- Re: absolute frame number in capture with -R ? Evan Huus (Apr 28)