This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark -R vs -Y filter option

0

tshark provides -R and -Y filters, what is the difference between read filter -R and display filter -Y. I have been using the -Y option to apply a filter to get a subset of the logs while converting them to pdml (xml) for further processing.

tshark -r source.pcap -Y "(s1ap.procedureCode == 13 && nas_eps.nas_msg_emm_type == 0x5e )" -T pdml > filtered_xml.xml

This works fine on windows build. However -Y is an invalid option on linux build.

mymachine{66}$ tshark -v
TShark 1.8.10 (SVN Rev Unknown from unknown)
  • what is the difference between the -Y and -R filter options ?
  • In the linux build I do not see the -Y option, what is the equivalent that can be used ?

From tshark -h on windows

-R <read filter>         packet Read filter in Wireshark display filter syntax

-Y <display filter>      packet displaY filter in Wireshark display filter

asked 23 Jan ‘17, 19:07

wire990099's gravatar image

wire990099
11236
accept rate: 0%

edited 23 Jan ‘17, 20:25

One Answer:

0

-R filters packets during the first pass of analysis.

-Y filter packets on single-pass dissect.

"Normally" on a current tshark (2.2.X) you would use -Y. However your tshark version is pretty old (1.8.10). Here you have to use -R.

-Y has been introduced with 1.10.X

answered 24 Jan '17, 02:04

Uli's gravatar image

Uli
9031515
accept rate: 29%