Ask Your Question

Revision history [back]

display filter mismatch for writing files

Hi There

Im trying to reduce large cap files for detailed analysis in tshark in this case want to filter out all http requests or responses so using -r in.file -Y "http.request or http.response" -w out.file

before filter ing the packets out I was counting in the raw file the number of http.requests - assuming that same number will appear in the filtered output files but the number in the new out.file is only 60% compared to the in.file - so this seems not reliable process I thought my -Y filter with "OR" may be a problem and tried a single condition (http.request) but same result any hints what I did wrong ? thanks in advance

click to hide/show revision 2
merged revision

updated 2019-09-24 21:58:12 +0000

SYN-bit gravatar image

display filter mismatch for writing files

Hi There

Im trying to reduce large cap files for detailed analysis in tshark in this case want to filter out all http requests or responses so using -r in.file -Y "http.request or http.response" -w out.file

before filter ing the packets out I was counting in the raw file the number of http.requests - assuming that same number will appear in the filtered output files but the number in the new out.file is only 60% compared to the in.file - so this seems not reliable process I thought my -Y filter with "OR" may be a problem and tried a single condition (http.request) but same result any hints what I did wrong ? thanks in advance

hi there im using tshark to filter out http response packets I find 2 option using as filter - http.response - and http.response.code I assume that where a http.response code is - this will be a http.response too surprised finding that number of packets with filter "http.response.code" are usually 25% more than with just "http.response" as filter Im using z io,stat for counting the hits and repeated tests several time always same result using shark 2.6.3 would be glad for any hint

click to hide/show revision 3
None

updated 2019-09-24 21:59:23 +0000

SYN-bit gravatar image

display filter mismatch for writing files

Hi There

Im trying to reduce large cap files for detailed analysis in tshark in this case want to filter out all http requests or responses so using -r in.file -Y "http.request or http.response" -w out.file

before filter ing the packets out I was counting in the raw file the number of http.requests - assuming that same number will appear in the filtered output files but the number in the new out.file is only 60% compared to the in.file - so this seems not reliable process I thought my -Y filter with "OR" may be a problem and tried a single condition (http.request) but same result any hints what I did wrong ? thanks in advance

===

Merged in from your other question:

hi there im using tshark to filter out http response packets I find 2 option using as filter - http.response - and http.response.code I assume that where a http.response code is - this will be a http.response too surprised finding that number of packets with filter "http.response.code" are usually 25% more than with just "http.response" as filter Im using z io,stat for counting the hits and repeated tests several time always same result using shark 2.6.3 would be glad for any hint hint

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2