Ethereal-users: Re: [Ethereal-users] Does ethereal really support "-R"?

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Jeff Morriss <jeff.morriss@xxxxxxxxxxx>
Date: Thu, 25 Aug 2005 16:49:34 -0400

Steve Greenland wrote:

I'm trying to load part of a tcpdump file into ethereal (the whole
file is too big for my machine). The "-R" option seems just the thing.
However, I cannot seem to make it work, even with simple test cases like

     ethereal -r t.dump -R 'frame.number == 1'

which displays no packets at all. Other attempts (e.g.
"frame.relative_time < 5") show all the packets.

FWIW, tethereal does the right thing:
$ tethereal -r t.dump  -R 'frame.number == 1'
  1   0.000000 192.168.0.102 -> 192.168.0.255 CUPS ipp://zero.lsli.com:631/printers/Lexmark (idle)
I use "-R" all the time with Ethereal, though not with "frame" related filters. I just tried it again (to make sure) with 0.10.12, and sure enough, my typical use (e.g., "-R m3ua") worked well.
However, using your filter didn't work. I suppose it's related to the fact that "frame" is the top level "dissector" and is therefor somehow special.