Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?

Thu, 28 Jun 2007 22:13:25 -0700 

On Fri, Jun 29, 2007 at 11:05:47AM +0900, Mitsuho Iizuka wrote:
> 
> > Exactly, editcap just takes frame-numbers or times as filters. But you
> > can use tshark for your purpose like this:
> > 
> > tshark -r <in-file> -w <out-file> -R "<display-filter of frames you want to 
> > keep>"
> > 
> > If you have a complex filter and you are using tshark from unix (or cygwin),
> > you could have the filter in a file and do:
> > 
> > tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`"
> 
> I tried, and got tshark error. I doubt tshark -R "`cat ...`" option.
> Does this work properly ?
> 
>    % /usr/sbin/tshark -r snoop_res_IATSID02 -w snoop_fil_IATSID02
>       -R "`cat filter`"
>    tshark: Read filters were specified both with "-R" and with additional
>    command-line arguments
> 
>    % cat filter
>    (tcp.port != 1035 && \
>     tcp.port != 1036 && \
>     tcp.port != 1039 && \
>     tcp.port != 1040 && \
>     tcp.port != 1043 && \
>     tcp.port != 1044 && \
>     tcp.port != 1047 && \
>      :
>     tcp.port != 60509)
> 
>     % wc filter
>     394 1968 8668 filter

There are two things you need to change, first of all, tshark is not a
shell and therefore does not understand the "\" to skip the newline.
You need to put all filters on one line:

$ cat filter
!( tcp.port==36283 || tcp.port==36316 || tcp.port==36348 || tcp.port==36349 || 
tcp.port==36353 || tcp.port==36354 || tcp.port==36363 )

$ tshark -r trace.cap -R "`cat filter`"
   1   0.000000 00:03:6b:a0:7b:42 -> 00:01:d7:33:f8:8a 10.51.172.122 3891 
10.124.233.12 58762 175 TCP 3891 > 58762 [PSH, ACK] Seq=0 Ack=0 Win=32768 
Len=121

Secondly, you need to change your filter string. The filter 
"tcp.port != 1035 && tcp.port != 1036" means "look for a packet
where EITHER tcp.port does not equal 1035 AND EITHER tcp.port does
not equal 1036". The correct filter would be:
"!( tcp.port == 1035 || tcp.port == 1036 )" which means "look for
a packet that does not match EITHER tcp.port equals 1035 nor EITHER
tcp.port equals 1036.

Have a look at "http://wiki.wireshark.org/DisplayFilters"; (especially
the paragraph "Gotchas").

Hope this helps, Cheers,


Sake

_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users

Reply via email to