This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: Read filters were specified both with “-R” and with additional command-line arguments

0
1

I'm facing this problem whenever I run tshark:

tshark: Read filters were specified both with "-R" and with additional command-line arguments

My command (run in a script) looks something like this:

./tshark -r $1 -w $2 -R "(frame.time >= 'Mar 21, 2012 14:45:13.000'  &&  \
frame.time < 'Mar 21, 2012 15:00:13.000') && \
(eth.dst==18:80:f5:10:85:08  || eth.dst==ff:ff:ff:ff:ff:ff) && \
!(eth.src==18:80:f5:10:85:08 ) && (vlan.id==10 || vlan.id==12)   && \
!(udp.port>49152 && !icmp && !udp.port==55124)" || \
exit 1

asked 26 Mar '12, 03:35

sangmeshp's gravatar image

sangmeshp
367811
accept rate: 0%

edited 26 Mar '12, 15:36

helloworld's gravatar image

helloworld
3.1k42041


One Answer:

0

This worked for me in OSX:

./tshark -r $1 -w $2 -R '(frame.time >= "Mar 21, 2012 14:45:13.000" && frame.time < "Mar 21, 2012 15:00:13.000") && (eth.dst==18:80:f5:10:85:08  || eth.dst==ff:ff:ff:ff:ff:ff) && !(eth.src==18:80:f5:10:85:08 ) && (vlan.id==10 || vlan.id==12)   && !(udp.port>49152 && !icmp && !udp.port==55124)' || exit 1

Changes:

  1. Replace your single-quotes around the dates with double-quotes.
  2. Replace your double-quotes around the super-long display-filter with single-quotes.

answered 26 Mar '12, 16:01

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

thanks you it worked....

(26 Mar '12, 22:53) sangmeshp

Yes - the only quote mark that can be used in a display filter for quoted strings such as a date and time is the double-quote character; you can't quote strings in a display filter with single quotes, so "Mar 21, 2012 14:45:13.000" is a valid string in a display filter but 'Mar 21, 2012 14:45:13.000' isn't.

(26 Mar '12, 23:15) Guy Harris ♦♦