Wireshark · Wireshark-users: Re: [Wireshark-users] tshark: Read filters were specified both with "-R" and with additional command

[Neil Fraser <cbr250@xxxxxxxxx>]

Thanks, it looks like i'm having success by using:

tshark -r hammer2901b -w 0291400000 -R "sip.To contains 0291400000 or sip.To contains 1887500412000000"

By using contains rather than == I was able to simplify the query (and get rid of that annoying @) but still get get the same results.

We have a saying here in Australia: K.I.S.S. "keep it simple stupid", it appears I was trying to be too complex.

Thanks again for your advice.

Best regards,
Neil Fraser

On Sun, Jan 30, 2011 at 2:25 PM, Alan Tu <8libra@xxxxxxxxx> wrote:

Hmm. There are a few things at play. First, your shell environment
interprets the command and arguments. Then Tshark does it too.

I am pretty certain that the display filter needs to be quoted so that
the shell will treat that whole thing as one argument. That's the way
I run my scripts.

You may want to try putting a backslash in front of the @ sign and see
if Tshark likes it better.

Try testing using a simple query (no and clauses), once you have that
working, then build the complex queries.

Alan


On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
> Hi Alan,
>
> Thanks for your response, but unfortunately I get:
>
> tshark: "@" was unexpected in this context.
>
> Regards,
>
>
> On Sun, Jan 30, 2011 at 2:04 PM, Alan Tu <8libra@xxxxxxxxx> wrote:
>
>> Neil, I don't have a Linux environment to play with but try
>> surrounding the whole display filter in a quote, like:
>>
>
>
>> tshark -r hammer2901b -w 0291400000 -R "sip.to.addr ==
>> sip:0291400000@192.168.1.1:5060 or sip.to.addr ==
>> sip:1887500434779620@123.456.123.456"
>>
>> Alan
>>
>>
>> On 1/30/11, Neil Fraser <cbr250@xxxxxxxxx> wrote:
>> > Hi,
>> >
>> > I'm having an issue trying to extract certain calls from a dump I have
>> > already made with fairly specific criteria.
>> >
>> > It appears it doesn't like my quotation marks I am using in my filter
>> from
>> > wireshark. Im a novice at using tshark so i'll explain what im trying to
>> > achieve
>> >
>> > input file : hammer2901b
>> > output file: 0291400000
>> > filter: sip.to.addr == "sip:0291400000@192.168.1.1:5060" or sip.to.addr
>> ==
>> > "sip:1887500434779620@123.456.123.456"
>> >
>> > command I'm attempting to use in a linux environment:
>> > tshark -r hammer2901b -w 0291400000 -R sip.to.addr == "
>> > sip:0291400000@192.168.1.1:5060" or sip.to.addr ==
>> > "sip:1887500434779620@123.456.123.456"
>> >
>> > output always remains as: tshark: Read filters were specified both with
>> "-R"
>> > and with additional command-line arguments
>> >
>> > Any advice greatly appreciated.
>> >
>> > Regards,
>> > Neil Fraser.
>> >
>> ___________________________________________________________________________
>> Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
>> Archives:    http://www.wireshark.org/lists/wireshark-users
>> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>>             mailto:wireshark-users-request@xxxxxxxxxxxxx
>> ?subject=unsubscribe
>>
>
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe