How do I use a filter expression, such as "frame contains ..." or "tcp contains ..." in tshark?

Hi Guys,

I am trying to use the same options "frame contains XXXX" and "tcp contains XXXX" in the tshark, but I can't do that. These options are available in the tshark? How I can do that?

What options did you try? Did you consult the manual page?

$ tshark -r ./ultpcap2.pcapng -Y "frame contains \"http\""  | wc
    105    1589   16286

$ tshark -r ./ultpcap2.pcapng -Y "tcp contains \"http\""  | wc
     59     802    7940

The search string needs double quotes that are "escaped" since the string passed to -Y also needs quotes.
Brief discussion here in a question about tshark.

The escaping, and\or quoting depends on the shell, e.g. for PowerShell (on Windows at least) you can mix single and double quotes, e.g. ... -Y "frame contains 'http'". The PowerShell escape is the backtick, so it could also be written ... -Y "frame contains `"http`".

Asked: 2020-12-06 15:44:03 +0000

