 | 1 | initial version |
To quote the TShark man page:
−O <protocols>
Similar to the −V option, but causes TShark to only show a detailed
view of the comma‐separated list of protocols specified, and show
only the top‐level detail line for all other protocols, rather than
a detailed view of all protocols. Use the output of "tshark −G
protocols" to find the abbreviations of the protocols you can
specify.
So -O does not specify "show me only packets for this protocol", it specifies "for -V output, show details only for protocols in this list", so its not like filtering, it's like opening up the packet details pane items for the protocols in question.
The option you want is:
−Y|−−display−filter <displaY filter>
Cause the specified filter (which uses the syntax of read/display
filters, rather than that of capture filters) to be applied before
printing a decoded form of packets or writing packets to a file.
Packets matching the filter are printed or written to file; packets
that the matching packets depend upon (e.g., fragments), are not
printed but are written to file; packets not matching the filter
nor depended upon are discarded rather than being printed or
written.
Use this instead of −R for filtering using single‐pass analysis. If
doing two‐pass analysis (see −2) then only packets matching the
read filter (if there is one) will be checked against this filter.
so do -Y oicq (protocol names are generally lower-case - -Y OICQ gives an error).