# Revision history [back]

You can't. Display filters operate in each packet in turn deciding whether it should be displayed or not based on the content of that packet, you can't reference any other packet.

You could use tshark to output the data and then use a post-processing script to check for the violations. A suitable invocation of tshark to just output the frame number and source ip address in csv form would be:

tshark -r <capture file> -T fields E "separator=," -e frame.number -e ip.src <optional display filter>


the <optional display="" filter=""> is if you need to add one to restrict the output to your protocol. On Windows you will need to provide the full path to tshark (usually C:\Program Files\Wireshark\tshark) as it's not on the path.

You can't. Display filters operate in each packet in turn deciding whether it should be displayed or not based on the content of that packet, you can't reference any other packet.

You could use tshark to output the data and then use a post-processing script to check for the violations. A suitable invocation of tshark to just output the frame number and source ip address in csv form would be:

tshark -r <capture file> -T fields E "separator=," -e frame.number -e ip.src <optional display filter>


the <optional display="" filter=""> display filter> is if you need to add one to restrict the output to your protocol. On Windows you will need to provide the full path to tshark (usually C:\Program Files\Wireshark\tshark) as it's not on the path.