hi, I am unable to filter out sctp.chunk_type packets, which are eating up the space. which is the correct filter format, to be used. I used this filer in my script (and ! sctp.chunk_type == 5 and ! sctp.chunk_type == 4) also used (and not sctp.chunk_type == 5 and not sctp.chunk_type == 4) [[email protected] ~]# tshark -q -w /tmp/traces_1.cap -B 10 -i e [[email protected] ~]# Running as user "root" and group "root". This could be dangerous. Capturing on 'em2' tshark: Invalid capture filter " asked 09 Mar '16, 00:15 murthyvo edited 09 Mar '16, 00:29 sindy |
One Answer:
Please look at the difference between display filter and capture filter syntax (they differ significantly) and capabilities (which differ significantly too, as the display filters make full use of packet dissection while capture filters are much simpler). In your particular case you can only use the capture filter if the sctp chunk type can be found at a fixed place in the packet. answered 09 Mar '16, 00:34 sindy |