This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark filter on Time frames

Hi All I am trying to filter on time frames with tshark and send output to a new pcap file. I can't get this to work. I am on windows 8.1 pc.

Tshark filter i am trying to get to work: tshark -r d:\PCAP-DUMP\input.pcap -w d:\PCAP-DUMP\output.pcap -Y "(frame.time >= "Dec 29, 2014 19:00:00") && (frame.time <= "Dec 29, 2014 20:00:00") && ip.addr == 192.168.1.1"

The filter (frame.time >= "Dec 29, 2014 19:00:00") && (frame.time <= "Dec 29, 2014 20:00:00") && ip.src == 192.168.10.30" works fine in wireshark.

Can anyone help me out here ? What am i doing wrong ?

Best Regards Lenny

tshark

asked 29 Dec '14, 03:03

Netc
11●1●1●2
accept rate: 0%

One Answer:

You are experiencing a DOS box quoting problem, because of the way the DOS box is handling nested double quotes.

Please try this (using double double-quotes for the date):

tshark -r d:\PCAP-DUMP\input.pcap -w d:\PCAP-DUMP\output.pcap -Y "(frame.time >= ""Dec 29, 2014 19:00:00"") && (frame.time <= ""Dec 29, 2014 20:00:00"") && ip.addr == 192.168.1.1"

See also my answer to a similar question:

https://ask.wireshark.org/questions/29949/tshark-string

Regards
Kurt

answered 30 Dec '14, 04:32

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 30 Dec '14, 04:35

Hi Kurt

Thanks..that solved my problem.

Best regards

Lenny Hansson

...Happy new year...

(02 Jan '15, 02:11) Netc

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(02 Jan '15, 03:24) grahamb ♦