Riverbed Cascade Pilot Personal Edition: Take Wireshark to the Next Level - Advanced Triggers and Alerts; Web and VoIP Analytics; Long-Term Trending and Forensics; Deep Packet Analysis with Wireshark

Wireshark-users: Re: [Wireshark-users] Tshark and using display filters

Date Index Thread Index Other Months All Mailing Lists

Date Prev Date Next Thread Prev Thread Next

From: "Irakli Natshvlishvili" <iraklin@xxxxxxxxx>
Date: Sat, 5 May 2007 14:57:22 -0800

Thanks. Works.

On 5/4/07, Guy Harris <guy@xxxxxxxxxxxx> wrote:

Irakli Natshvlishvili wrote:

> Platform is XP with SP2. What I'm doing wrong?

You're assuming that you don't have to quote a read filter.  It's an
argument to the "-R" flag, so it has to be one shell-level token, so if
it contains token separators such as spaces, it needs to be quoted.

Try

        tshark -r all.cap -w filtered.cap -R "udp contains 100"

or, if "100" has to be quoted from TShark's point of view, you'll have
to nest quotes (I don't know how that's done with the standard Windows
command line, but on UN*X shells, even if you're running them on Windows

        tshark -r all.cap -w filtered.cap -R "udp contains \"100\""

should do).

_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

--
I.N.

References:
- [Wireshark-users] Tshark and using display filters
  - From: Irakli Natshvlishvili
- Re: [Wireshark-users] Tshark and using display filters
  - From: Guy Harris

Prev by Date: Re: [Wireshark-users] Wireshark and 2GB capture files
Next by Date: [Wireshark-users] Any Macintosh users out there?
Previous by thread: Re: [Wireshark-users] Tshark and using display filters
Next by thread: [Wireshark-users] Any Macintosh users out there?
Index(es):
- Date
- Thread