If you want to use tcpdump, the only filters you can specify are pcap filters, which are the filters that, in Wireshark, are used as "capture filters".
If you want to use TShark, the -x
flag prints in hex and ASCII (unlike the tcpdump -x
flag, which prints only in hex), and the -r
flag specifies the file to read (just as it does in tcpdump).
For TShark, you can specify a "read filter" - which are the filters that, in Wireshark, are used as display filters - with the -Y
flag if you're doing a one-pass processing of the packets or with the -R
flag if you've also specified -2
to do two-pass processing. Two-pass processing takes longer, but it can, when printing packet data or evaluating filters, use information determined in the first pass. For most filters, you won't need two-pass processing.
Is
tshark
an option or has to betcpdump
?hi, if tshark works, that is good to know.