Irakli Natshvlishvili wrote: > Platform is XP with SP2. What I'm doing wrong?
You're assuming that you don't have to quote a read filter. It's an argument to the "-R" flag, so it has to be one shell-level token, so if it contains token separators such as spaces, it needs to be quoted. Try tshark -r all.cap -w filtered.cap -R "udp contains 100" or, if "100" has to be quoted from TShark's point of view, you'll have to nest quotes (I don't know how that's done with the standard Windows command line, but on UN*X shells, even if you're running them on Windows tshark -r all.cap -w filtered.cap -R "udp contains \"100\"" should do). _______________________________________________ Wireshark-users mailing list Wireshark-users@wireshark.org http://www.wireshark.org/mailman/listinfo/wireshark-users