First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How do I use a filter expression, such as "frame contains ..." or "tcp contains ..." in tshark?

Hi Guys,

I am trying to use the same options "frame contains XXXX" and "tcp contains XXXX" in the tshark, but I can't do that. These options are available in the tshark? How I can do that?

moraist's avatar
9
moraist
asked 2020-12-06 15:44:03 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2020-12-06 20:39:22 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What options did you try? Did you consult the manual page?

Jaap's avatar Jaap (2020-12-06 16:35:40 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1
$ tshark -r ./ultpcap2.pcapng -Y "frame contains \"http\""  | wc
    105    1589   16286

$ tshark -r ./ultpcap2.pcapng -Y "tcp contains \"http\""  | wc
     59     802    7940

The search string needs double quotes that are "escaped" since the string passed to -Y also needs quotes.
Brief discussion here in a question about tshark.

Chuckc's avatar
3k
Chuckc
answered 2020-12-06 16:53:27 +0000
edit flag offensive 0 remove flag delete link
more

Comments

The escaping, and\or quoting depends on the shell, e.g. for PowerShell (on Windows at least) you can mix single and double quotes, e.g. ... -Y "frame contains 'http'". The PowerShell escape is the backtick, so it could also be written ... -Y "frame contains `"http`".

grahamb's avatar grahamb (2020-12-06 19:42:58 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer