Hi,
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?
Date: Thu, 28 Jun 2007 10:20:17 +0200
> Exactly, editcap just takes frame-numbers or times as filters. But you
> can use tshark for your purpose like this:
>
> tshark -r <in-file> -w <out-file> -R "<display-filter of frames you want to keep>"
>
> If you have a complex filter and you are using tshark from unix (or cygwin),
> you could have the filter in a file and do:
>
> tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`"
I tried, and got tshark error. I doubt tshark -R "`cat ...`" option.
Does this work properly ?
% /usr/sbin/tshark -r snoop_res_IATSID02 -w snoop_fil_IATSID02
-R "`cat filter`"
tshark: Read filters were specified both with "-R" and with additional
command-line arguments
% cat filter
(tcp.port != 1035 && \
tcp.port != 1036 && \
tcp.port != 1039 && \
tcp.port != 1040 && \
tcp.port != 1043 && \
tcp.port != 1044 && \
tcp.port != 1047 && \
:
tcp.port != 60509)
% wc filter
394 1968 8668 filter
// Mitsuho Iizuka
// AP Server Grp., 2nd System Software Div.,
// System Software Opr.Unit, IT Platform Biz.Unit, NEC Corp.
// Phone:+81-3-3456-4322
