Wireshark-users: [Wireshark-users] print number of packet based on filter in a file
From: "Manolis Katsidoniotis" <manoska@xxxxxxxxx>
Date: Fri, 25 Sep 2009 00:14:52 +0300



I have a large capture file and would like to print the number of packets that apply to the below display filters:

megaco.command == "Add"

megaco.command == "Modify”

megaco.command == "Subtract"


I am entering


tshark -r F:\Temp\bang_cont_00001_20090626194720.pcap -q -z io,stat,600,megaco.command=="Add"


but I get the total number of packets not the megaco add commands (which is what I had in the filter)


C:\Program Files\Wireshark>tshark -r F:\Temp\bang_cont_00001_20090626194720.pcap -q -z io,stat,600,megaco.command=="Add"

NOTE: you should run 'diskperf -y' to enable the disk statistics



IO Statistics

Interval: 600.000 secs

Column #0:

                |   Column #0

Time            |frames|  bytes

000.000-600.000   48110  25445310




48110 is the number of total captured frames

Instead when I apply the display the number of packets selected is 16107


Looks like my filter is not working.


What am I doing wrong?


Thanks in advance for your time