Multiple filter in tshark

Question

The filters -Y, -2 and -R in tshark confusing in Wireshark version 2.XX.

In version 1.8, we were able to apply multiple filters and save the filtered packets in csv file using command below:

tshark.exe -r src.pcap -T fields -e frame.number -e frame.time -e frame.len -e ip.src -e ip.dst -e udp.srcport -e udp.dstport -E header=y -E separator=, -E quote=d -E occurrence=f -R (ip.src==x.x.x.x)&&(ip.dst==y.y.y.y) > filtered.csv

But this command does not work in versions 2.x. Please help if someone applied multi-filter in new Wireshark versions.

Answer 1

On windows 7, I had this working with wireshark 2.2.1, adding -2 and quoting the string that follow -R option, like this:

tshark.exe -r mypcap.pcapng -T fields -2 -e frame.number -e frame.time -e frame.len -E header=y -E separator=, -E quote=d -E occurrence=f -R "(ip.src==192.168.1.20)&&(ip.dst==20.1.168.192)"

Not quoting the expression after "-R" results in printing fields and evaluate expression. If the expression results TRUE, the filter is recognized and the result is given. Otherwise the filter (e.g. ip.src) will be evalued as a command by the system, resulting in "command not recognized"

Answer 2

You should be able to achieve what you want by replacing -R (ip.src==x.x.x.x)&&(ip.dst==y.y.y.y) with -Y "(ip.src==x.x.x.x)&&(ip.dst==y.y.y.y)".