Reputation: 407
Convert wireshark filter notation to tshark filter notation
I want to filter a pcap file with tshark (linux, command line).
The notation of my filter in wireshark @ windows is:
frame.time >= "2017-07-11 13:37:07" && frame.time <= "2017-07-11 13:37:11"
So what's the right notation for tshark in linux?
After several trials I haven't found the right solution yet.
Thanks in advance!
Upvotes: 2
Views: 1871
Answers (2)
Reputation: 407
Ahhh now I've found the solution to my question!!
Replacing the tshark filter "frame.time" through "frame.time_epoch" and for example "2017-07-11 13:37:10" through "1499773030.999955000" causes the packet to be filtered out. :)))
Upvotes: 1
Reputation: 62733
You can use the -Y option.
-Y
Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file.
Because of bash, you have also to escape the display filter with single quotes:
tshark -Y 'frame.time >= "2017-07-11 13:37:07" && frame.time <= "2017-07-11 13:37:11"'
Upvotes: 4
Related Questions
- Convert Wireshark Filter Expression to BPF
- How to use filters in the wireshark?
- tshark gives invalid capture filter error
- Tshark filter protocol FIX
- Multiple filter in tshark
- 2-pass filter in Wireshark/tshark
- Wireshark filter syntax needed
- Using tshark filter with SIP tcp trace
- Resolving protocol names in custom tshark display filter
- Wireshark filter syntax