Hi,
From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?
Date: Fri, 29 Jun 2007 07:13:00 +0200
> There are two things you need to change, first of all, tshark is not a
> shell and therefore does not understand the "\" to skip the newline.
> You need to put all filters on one line:
>
> $ cat filter
> !( tcp.port==36283 || tcp.port==36316 || tcp.port==36348 || tcp.port==36349 || tcp.port==36353 || tcp.port==36354 || tcp.port==36363 )
>
> $ tshark -r trace.cap -R "`cat filter`"
> 1 0.000000 00:03:6b:a0:7b:42 -> 00:01:d7:33:f8:8a 10.51.172.122 3891 10.124.233.12 58762 175 TCP 3891 > 58762 [PSH, ACK] Seq=0 Ack=0 Win=32768 Len=121
>
This works ! Thank you. Just to be safe, I edited display-filter as
follows. However...
> Secondly, you need to change your filter string. The filter
> "tcp.port != 1035 && tcp.port != 1036" means "look for a packet
> where EITHER tcp.port does not equal 1035 AND EITHER tcp.port does
> not equal 1036". The correct filter would be:
> "!( tcp.port == 1035 || tcp.port == 1036 )" which means "look for
> a packet that does not match EITHER tcp.port equals 1035 nor EITHER
> tcp.port equals 1036.
>
> Have a look at "http://wiki.wireshark.org/DisplayFilters"; (especially
> the paragraph "Gotchas").
It seems they are equivalent according to the welknown mathematics
formula ?
!(A U B) = (!A && !B).
It was long before. Anyway I have a simple packet dump now.
I looked at above Gotchas. But Gotchas paragraph seems to describe
a different context.
// Mitsuho Iizuka
// AP Server Grp., 2nd System Software Div.,
// System Software Opr.Unit, IT Platform Biz.Unit, NEC Corp.
// Phone:+81-3-3456-4322