I have a capture file with a HTTP 1.1 request in frame 536 and the HTTP 200 response in frame 856. Frame 856 is reassembled.
In wireshark 3.6.7 I can filter those two packets by:
http.request_in in{536,856}||http.response_in in{536,856}
or by
http.request_in == 536 || http.response_in == 856
It works fine and i see both packets.
But when I use tshark I only see the response frame 856.
tshark -r tmp.pcap -Y "http.request_in in{536,856} || http.response_in in{536,856}"
tshark -r tmp.pcap -Y "http.request_in == 536 || http.response_in == 856"
when I run:
tshark -r tmp.pcap -Y "http.response_in == 856"
then no frame is shown. Wireshark shows with the same filter the frame 536.
The filter:
"frame.number == 536 || frame.number == 856"
works the same in tshark and wireshark. What am I missing?
