Wireshark · Wireshark-users: Re: [Wireshark-users] Tshark Tcap filtering

Wireshark-users: Re: [Wireshark-users] Tshark Tcap filtering

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>

Date: Tue, 20 Sep 2011 10:14:58 -0400

Erdinç Taşkın wrote:

Hello,
I have a problem about filtering from pcap file. I got a capture filethat created by tcpdump. I use filter criteria that "(tcap.tid ==01:5e:00:00) || (tcap.tid == 53:d0:90:96)" on wireshark found packet. Onsame capture file, using tshark (exact command "/tshark -R "(tcap.tid ==01:5e:00:00) || (tcap.tid == 53:d0:90:96)" -r test.pcap") does not matchany packet. What is wrong?

What version are you using? It works fine for me using the currenttrunk (which would probably be equivalent to 1.6.2 for this test).

If you run tshark without the read filter and with "-V" do you see theTCAP part, in particular the TIDs?

Follow-Ups:
- [Wireshark-users] merged capture file filtering
  - From: Malcolm Herbert
- Re: [Wireshark-users] Tshark Tcap filtering
  - From: Erdinç Taşkın

References:
- [Wireshark-users] Tshark Tcap filtering
  - From: Erdinç Taşkın

Prev by Date: [Wireshark-users] Tshark Tcap filtering
Next by Date: [Wireshark-users] merged capture file filtering
Previous by thread: [Wireshark-users] Tshark Tcap filtering
Next by thread: [Wireshark-users] merged capture file filtering
Index(es):
- Date
- Thread