Wireshark
the world's foremost network protocol analyzer
Wireshark-dev: Re: [Wireshark-dev] filter expression required
From: Amit Paliwal <Amit.Paliwal@xxxxxxxxxxxxxxx>
Date: Mon, 2 Jul 2007 11:58:39 +0530
Command line:- wireshark -i \Device\NPF_{52EFAA93-34C5-4F7E-80AE-638A48E3F1BD} -k -f UDP
but I want something like
Command line:- wireshark -i \Device\NPF_{52EFAA93-34C5-4F7E-80AE-638A48E3F1BD} -k -f UDP contains my_protocol
so that only my_protocol gets sniffed.
| "Gilbert Ramirez"
<gram@xxxxxxxxxxxxxxx>
Sent by: wireshark-dev-bounces@xxxxxxxxxxxxx 07/02/2007 11:47 AM
|
|
Can you show us the command-line you are using?
--gilbert
On 7/2/07, Amit Paliwal <Amit.Paliwal@xxxxxxxxxxxxxxx > wrote:
yes that is what i am saying, when i try to give a filter from Wireshark GUI i am able to do so, but I want the same scenario in command line also....not from GUI.
| "Gilbert Ramirez"
<gram@xxxxxxxxxxxxxxx>
Sent by: wireshark-dev-bounces@xxxxxxxxxxxxx 07/02/2007 11:31 AM
|
|
A pcap filter? You mean a capture file? The pcap/capture filter syntax does not provide a 'contains' keyword, so it's not possible. You can only use 'contains' in the display filter syntax, which is unique to wireshark (and tshark, etc.)
--gilbert
On 7/2/07, Amit Paliwal <Amit.Paliwal@xxxxxxxxxxxxxxx > wrote:
yes i am using 'contains' keyword, and i am giving name of my protocol which is a string.....
i am running it on Windows and i used 'udp contains my_protocol' also but its not working.......
i need to give filter expressions defined by pcap, but i am not getting any documentation of it.
| "Gilbert Ramirez"
<gram@xxxxxxxxxxxxxxx
> Sent by: wireshark-dev-bounces@xxxxxxxxxxxxx 07/02/2007 11:15 AM
|
|
You're really using the "contains" keyword? That's for strings and
binary strings.
The spaces in your filter are probably confusing the shell when you
invoke wireshark/tshark from the command-line. Are you running on
Unix? Use single quotes around your filter:
tshark ............ 'udp contains xxx'
--gilbert
On 7/2/07, Amit Paliwal <Amit.Paliwal@xxxxxxxxxxxxxxx > wrote:
>
> I want to set command line filter _expression_ for proprietary protocol that
> is registered over UDP by its name. I am able to do it directly in Wireshark
> GUI by setting the _expression_ as "UDP contains my_protocol", but I need to
> do the same from command line that I am unable to do right now.
>
> Please suggest.
>
> Regards,
>
> ______________________________________________________________________
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
______________________________________________________________________
______________________________________________________________________
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
_____________________________________________________________________________________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
______________________________________________________________________
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
_____________________________________________________________________________________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
______________________________________________________________________
- Follow-Ups:
- Re: [Wireshark-dev] filter expression required
- From: Gilbert Ramirez
- Re: [Wireshark-dev] filter expression required
- References:
- Re: [Wireshark-dev] filter expression required
- From: Gilbert Ramirez
- Re: [Wireshark-dev] filter expression required
- Prev by Date: Re: [Wireshark-dev] filter expression required
- Next by Date: [Wireshark-dev] Debian package files for 0.99.6
- Previous by thread: Re: [Wireshark-dev] filter expression required
- Next by thread: Re: [Wireshark-dev] filter expression required
- Index(es):