Hi, From: Sake Blok <[EMAIL PROTECTED]> Subject: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ? Date: Fri, 29 Jun 2007 07:13:00 +0200
> There are two things you need to change, first of all, tshark is not a > shell and therefore does not understand the "\" to skip the newline. > You need to put all filters on one line: > > $ cat filter > !( tcp.port==36283 || tcp.port==36316 || tcp.port==36348 || tcp.port==36349 > || tcp.port==36353 || tcp.port==36354 || tcp.port==36363 ) > > $ tshark -r trace.cap -R "`cat filter`" > 1 0.000000 00:03:6b:a0:7b:42 -> 00:01:d7:33:f8:8a 10.51.172.122 3891 > 10.124.233.12 58762 175 TCP 3891 > 58762 [PSH, ACK] Seq=0 Ack=0 Win=32768 > Len=121 > This works ! Thank you. Just to be safe, I edited display-filter as follows. However... > Secondly, you need to change your filter string. The filter > "tcp.port != 1035 && tcp.port != 1036" means "look for a packet > where EITHER tcp.port does not equal 1035 AND EITHER tcp.port does > not equal 1036". The correct filter would be: > "!( tcp.port == 1035 || tcp.port == 1036 )" which means "look for > a packet that does not match EITHER tcp.port equals 1035 nor EITHER > tcp.port equals 1036. > > Have a look at "http://wiki.wireshark.org/DisplayFilters"; (especially > the paragraph "Gotchas"). It seems they are equivalent according to the welknown mathematics formula ? !(A U B) = (!A && !B). It was long before. Anyway I have a simple packet dump now. I looked at above Gotchas. But Gotchas paragraph seems to describe a different context. // Mitsuho Iizuka // AP Server Grp., 2nd System Software Div., // System Software Opr.Unit, IT Platform Biz.Unit, NEC Corp. // Phone:+81-3-3456-4322 _______________________________________________ Wireshark-users mailing list [email protected] http://www.wireshark.org/mailman/listinfo/wireshark-users
