This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Display filter works in Wireshark but not in TShark - Special Characters Issue?

0

I am trying to write a tshark read filter to match a wireshark display filter that works fine. However it seems that even using quotation marks (which works in Wireshark), I get a variety of errors, based on the contents. Seems to be the same for both frame contains and tcp.data contains

-R frame contains "something="
returns: = not expected in this context

-R frame contains "2134 error"
returns: error expected in this context

-R frame contains "txt" returns: not expected in this context

-R frame contains "(test" returns: syntaxt error

-R frame contains ":text" returns: not valid byte string

I am stumped because these work fine to find the strings in wireshark. I have successfully written ones with plain text letters that work fine across both TShark and Wireshark, and all I have changed is the read filter strings. Please advise!

asked 22 Jun '11, 15:50

erub's gravatar image

erub
1112
accept rate: 0%

edited 22 Jun '11, 15:50


One Answer:

0

On the commandline the whole filter should be one string, ie the whole display filter should be in quotes (or contain no spaces). You might want to try the following:

-R 'frame contains "something="'

(I believe this does not work on Windows, but I know there are ways on windows, even though I don't know them :-))

answered 22 Jun '11, 16:28

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I actually found the answer to this question (for windows) in another thread:

frame contains " blah blah error crazy characters #&%#($# " works fine. Thanks for the reply!

(23 Jun '11, 09:55) erub

(converted your "answer" to a "comment", see the FAQ)

(24 Jun '11, 01:33) SYN-bit ♦♦