Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

filter for "data" to match packets

Dear all,

when I run tshark on a particular trace file (file1.pcap) where let's say frame #1 is important to me and I want to search for the exact same frame inside another trace file (file2.pcap), here is what I try to do:

  1. tshark -r file1.pcap -Y frame.number==1 -Tfields -e data this gives me the payload of the frame without its headers as hex stream (same as if I right-click inside the hexpane)
  2. For the other file where the exact same packet is also captured, I try to filter for that hex steam e.g. using tshark -r file2.pcap -Y data=="<paste from="" step1="">" or tshark -r file2.pcap -Y data contains "<subset from="" that="" string="">"

which both don't work.

However, if I use -Y "data contains 80:00:00" where 80:00:00 is just a random example it works.

So my question is how to match the -Tfields -e data output for "data" filtering without adding colons between every byte :)

filter for "data" to match packets

Dear all,

when When I run tshark tshark on a particular trace file (file1.pcap) (file1.pcap) where let's say frame #1 is important to me and I want to search for the exact same frame inside another trace file (file2.pcap), (file2.pcap), here is what I try to do:

  1. tshark -r file1.pcap -Y frame.number==1 -Tfields -e data this data This gives me the payload of the frame without its headers as hex stream (same as if I right-click inside the hexpane)hexpane).
  2. For the other file where the exact same packet is also captured, I try to filter for that hex steam e.g. using tshark -r file2.pcap -Y data=="<paste from="" step1="">" from step1>" or tshark -r file2.pcap -Y data contains "<subset from="" that="" string="">"from that string>"

which both don't work.

However, if I use -Y "data contains 80:00:00" 80:00:00" where 80:00:00 80:00:00 is just a random example it works.

So my question is how to match the -Tfields -e data data output for "data" "data" filtering without adding colons between every byte :)

filter for "data" to match packets

Dear all,

When I run tshark on a particular trace file (file1.pcap) where let's say frame #1 is important to me and I want to search for the exact same frame inside another trace file (file2.pcap), here is what I try to do:

  1. tshark -r file1.pcap -Y frame.number==1 -Tfields -e data This gives me the payload of the frame without its headers as hex stream (same as if I right-click inside the hexpane).
  2. For the other file where the exact same packet is also captured, I try to filter for that hex steam e.g. using tshark -r file2.pcap -Y data=="<paste from step1>" or tshark -r file2.pcap -Y data contains "<subset from that string>"

which both don't work.

However, if I use -Y "data contains 80:00:00" where 80:00:00 is just a random example it works.

So my question is how to match the -Tfields -e data output for "data" filtering without adding colons between every byte :)