On Fri, Jun 29, 2007 at 11:05:47AM +0900, Mitsuho Iizuka wrote:
>
> > Exactly, editcap just takes frame-numbers or times as filters. But you
> > can use tshark for your purpose like this:
> >
> > tshark -r <in-file> -w <out-file> -R "<display-filter of frames you want to keep>"
> >
> > If you have a complex filter and you are using tshark from unix (or cygwin),
> > you could have the filter in a file and do:
> >
> > tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`"
>
> I tried, and got tshark error. I doubt tshark -R "`cat ...`" option.
> Does this work properly ?
>
> % /usr/sbin/tshark -r snoop_res_IATSID02 -w snoop_fil_IATSID02
> -R "`cat filter`"
> tshark: Read filters were specified both with "-R" and with additional
> command-line arguments
>
> % cat filter
> (tcp.port != 1035 && \
> tcp.port != 1036 && \
> tcp.port != 1039 && \
> tcp.port != 1040 && \
> tcp.port != 1043 && \
> tcp.port != 1044 && \
> tcp.port != 1047 && \
> :
> tcp.port != 60509)
>
> % wc filter
> 394 1968 8668 filter
There are two things you need to change, first of all, tshark is not a
shell and therefore does not understand the "\" to skip the newline.
You need to put all filters on one line:
$ cat filter
!( tcp.port==36283 || tcp.port==36316 || tcp.port==36348 || tcp.port==36349 || tcp.port==36353 || tcp.port==36354 || tcp.port==36363 )
$ tshark -r trace.cap -R "`cat filter`"
1 0.000000 00:03:6b:a0:7b:42 -> 00:01:d7:33:f8:8a 10.51.172.122 3891 10.124.233.12 58762 175 TCP 3891 > 58762 [PSH, ACK] Seq=0 Ack=0 Win=32768 Len=121
Secondly, you need to change your filter string. The filter
"tcp.port != 1035 && tcp.port != 1036" means "look for a packet
where EITHER tcp.port does not equal 1035 AND EITHER tcp.port does
not equal 1036". The correct filter would be:
"!( tcp.port == 1035 || tcp.port == 1036 )" which means "look for
a packet that does not match EITHER tcp.port equals 1035 nor EITHER
tcp.port equals 1036.
Have a look at "http://wiki.wireshark.org/DisplayFilters"; (especially
the paragraph "Gotchas").
Hope this helps, Cheers,
Sake