On Tue, Aug 28, 2001 at 09:37:20PM -0400, K A wrote:
> I'm trying to use tethereal to filter a tcpdump file based on time and IP
> address. The filter I am trying (based off Guy Harris' answer to someone
> else's question) is:
>
> frame.time >= "Aug 1, 2001 00:52:34" && frame.time <= "Aug 1, 2001
> 00:55:34" &&
> ip.src = 192.168.0.1
>
> This display filter works fine in ethereal,
That one doesn't, but
frame.time >= "Aug 1, 2001 00:52:34" &&
frame.time <= "Aug 1, 2001 00:55:34" &&
ip.src == 192.168.0.1
does - you use "==", not "=", to compare.
> but when I use it on the command line in tethereal, it does not work.
Did you put the entire filter expression in single quotes?
If not, that won't work; '>', '<', and '&&', on the UNIX command line
(and "<" and ">", at least, on the Windows command line) have special
meanings. Furthermore, so does '"'.
You'd have to do something such as
tethereal -r input.tcpdump -w output.tcpdump -R 'frame.time >= "Aug 1, 2001 00:52:34" && frame.time <= "Aug 1, 2001 00:55:34" && ip.src == 192.168.0.1'
> I have even simplified it down to just
> one check, but cannot even get that to work. I tried using:
>
> tethereal -r input.tcpdump -w output.tcpdump -R frame.time eq "Apr 5, 1999
> 08:10:01"
>
> and I get the error message
>
> tethereal: The string "5" was unexpected in this context.
>
> Does anyone see what I am doing wrong?
The same thing - try
tethereal -r input.tcpdump -w output.tcpdump -R 'frame.time eq "Apr 5, 1999 08:10:01"'
Yes, Tethereal *will* glue tokens to form a read filter if you *don't*
specify the "-R" flag, so you can do
tethereal -r input.tcpdump -w output.tcpdump frame.number eq 17
However, that's not good enough if one of the operands of a comparison
operator is a string, such as in the expression
frame.time eq "Apr 5, 1999 08:10:01"
because if you do
tethereal -r input.tcpdump -w output.tcpdump frame.time eq "Apr 5, 1999 08:10:01"
the shell will pass "Apr 5, 1999 08:10:01", *WITHOUT* the quotes, as an
argument, to Tethereal, and Tethereal won't put the quotes back in, so
the expression it constructs will be
frame.time eq Apr 5, 1999 08:10:01
which isn't valid.
So the rule is "unless you know *for certain* that the expression will
pass unscathed through the command interpreter, put the entire
expression in quotes". Note that the quotes must be *single* quotes,
not *double* quotes, if the expression includes double-quotes. (I don't
know whether you can do this on Windows; I think the Windows command
interpreter may only support double quotes, in which case if you want to
pass to Tethereal a filter expression that includes double quotes,
you may be completely out of luck on Windows.)
Note also that, if you use the "-R" flag, Tethereal assumes that the
next argument is the entire filter expression and doesn't glue arguments
together, so if you use the "-R" flag, you *must* put the entire
expression in quotes.