Wireshark-users: Re: [Wireshark-users] Tshark Tcap filtering

From: Erdinç Taşkın <erdinctaskin@xxxxxxxxx>
Date: Fri, 23 Sep 2011 11:38:48 +0300
Thanks Jeff for your comments, my wireshark is pretty old version. I wil try with newest version.




2011/9/20 Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Erdinç Taşkın wrote:
Hello,

I have a problem about filtering from pcap file. I got a capture file that created by tcpdump. I use filter criteria that "(tcap.tid == 01:5e:00:00) || (tcap.tid == 53:d0:90:96)" on wireshark found packet. On same capture file, using tshark (exact command "/tshark -R "(tcap.tid == 01:5e:00:00) || (tcap.tid == 53:d0:90:96)" -r test.pcap") does not match any packet. What is wrong?

What version are you using?  It works fine for me using the current trunk (which would probably be equivalent to 1.6.2 for this test).

If you run tshark without the read filter and with "-V" do you see the TCAP part, in particular the TIDs?
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
           mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Erdinç Taşkın
erdinctaskin.blogspot.com