Hi, From: Sake Blok <[EMAIL PROTECTED]> Subject: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ? Date: Thu, 28 Jun 2007 10:20:17 +0200
> Healthchecks doen by LB's are usually done from their own IP-address > while production traffic is either from the client-ip or the NATted > address, which is usually different from the address that the health > checks are sent from. But... this varies per LB-brand. If they > are different, you can filter on the ip-addresses. Please note > that you can use a filter like "!ip.addr==<ip-healtchchecks>" Ummm ...I'm fool... Yes, Those are only 4 IPs. I will do it. > Exactly, editcap just takes frame-numbers or times as filters. But you > can use tshark for your purpose like this: > > tshark -r <in-file> -w <out-file> -R "<display-filter of frames you want to > keep>" > > If you have a complex filter and you are using tshark from unix (or cygwin), > you could have the filter in a file and do: > > tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`" Can tshark -R accept ``. It is new to me. Just for my understanding, are there any limitation ? Such as shell command line length limitation. I have been looking for the tool can handle complex display filter. I know Ethereal has a IDL extention according to their site. How about WireShark ? Regards, // Mitsuho Iizuka // AP Server Grp., 2nd System Software Div., // System Software Opr.Unit, IT Platform Biz.Unit, NEC Corp. // Phone:+81-3-3456-4322 _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
