This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: Using filter expression as field ?

0

Hello,

I would like to distinguish frames from the tshark output, see this failed attemp :

tshark -r mydump-20141015-185000.dump  -Y "frame contains a or frame contains b" -T fields -e frame.time -e "frame contains a" -e "frame contains b"

I would like next output:

time1 0 1 # not comtains a and contains b
time2 1 1 # contains a and contains b
time3 1 0 # contains a and not contains b

Thank you very much ! Does tshark have such capabilitie ?

Un saludo

asked 15 Oct '14, 11:53

i5513's gravatar image

i5513
11113
accept rate: 0%

edited 15 Oct '14, 17:28

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


One Answer:

1

No, -e currently supports only fields, not arbitrary filter expressions. File an enhancement request at the Wireshark bugzilla if you'd like to see a capability such as this added.

answered 15 Oct '14, 17:27

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

(16 Oct '14, 09:20) i5513