Irakli Natshvlishvili wrote:
> Platform is XP with SP2. What I'm doing wrong?
You're assuming that you don't have to quote a read filter. It's an
argument to the "-R" flag, so it has to be one shell-level token, so if
it contains token separators such as spaces, it needs to be quoted.
Try
tshark -r all.cap -w filtered.cap -R "udp contains 100"
or, if "100" has to be quoted from TShark's point of view, you'll have
to nest quotes (I don't know how that's done with the standard Windows
command line, but on UN*X shells, even if you're running them on Windows
tshark -r all.cap -w filtered.cap -R "udp contains \"100\""
should do).
_______________________________________________
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users
