ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-users: Re: [Wireshark-users] tshark smb,srt filter error

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Tal Bar-Or <tbaror@xxxxxxxxx>
Date: Sun, 20 Oct 2013 20:59:04 +0300
Hi again Evan,

Great news its works i did

C:\traces_test>"c:\Program Files\Wireshark\tshark.exe" -r tracesmb_fileop2.pcap -Y "smb.time" -T fields -e ip.dst  -e ip.src -e smb.file -e smb.path -e smb.time

and i noticed that the file include the sub directory ( i used it on another file)
  \\public\\WhereAreAllTheFiles.txt               0.000443000
  \\public\\WhereAreAllTheFiles.txt               0.000281000
  \\public\\WhereAreAllTheFiles.txt               0.000220000 
so i did
C:\traces_test>"c:\Program Files\Wireshark\tshark.exe" -n -r tracesmb_fileop2.pcap -q -z "smb,srt,smb.file==\"\\public\\WhereAreAllTheFiles.txt\""

=================================================================
SMB SRT Statistics:
Filter: smb.file=="\\public\\WhereAreAllTheFiles.txt"
Commands                   Calls    Min SRT    Max SRT    Avg SRT

Transaction2 Commands      Calls    Min SRT    Max SRT    Avg SRT
QUERY_PATH_INFO                6   0.000220   0.000443   0.000284

NT Transaction Commands    Calls    Min SRT    Max SRT    Avg SRT
=================================================================

and now works
Thanks
Cheers 



On Sun, Oct 20, 2013 at 8:51 PM, Tal Bar-Or <tbaror@xxxxxxxxx> wrote:
Hi Evan,

Thanks for the suggestion , i don't have error but i don't have any statistics :-(


On Sun, Oct 20, 2013 at 8:05 PM, Evan Huus <eapache@xxxxxxxxx> wrote:
On Sun, Oct 20, 2013 at 1:47 AM, Tal Bar-Or <tbaror@xxxxxxxxx> wrote:
> Hi All,
>
> i am trying to get some smb statistics for certain file using tshark for
> scripting propose , i think i am using the correct syntax but still getting
> errors as follows below even if i remove the \ i get invalid - "New" was
> unexpected in this context.
>
> Please advice
>
> Thanks
>
>
>> C:\traces_test>"c:\Program Files\Wireshark\tshark.exe" -n -r
>> tracesmb_fileop1.pcap -q -z "smb,srt,smb.file==\\New Video 12_20196.xml"
>>
>> tshark: Couldn't register smb,srt tap: Filter "smb.file==\New Video
>> 12_20196.xml" is invalid - "\" was unexpected in this context.
>
>
> --
> Tal Bar-or

Hi Tal,

Just guessing, but I think you probably need to add quotes around the
file-name string. Does

"smb,srt,smb.file==\"\\New Video 12_20196.xml\""

work?

Evan
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Tal Bar-or



--
Tal Bar-or
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube