Convert wireshark filter notation to tshark filter notation

1
votes

I want to filter a pcap file with tshark (linux, command line).

The notation of my filter in wireshark @ windows is:

frame.time >= "2017-07-11 13:37:07" && frame.time <= "2017-07-11 13:37:11"

So what's the right notation for tshark in linux?

After several trials I haven't found the right solution yet.

Thanks in advance!

2
filterwiresharktshark

2 Answers

2
votes

You can use the -Y option.

-Y

Cause the specified filter (which uses the syntax of read/display filters, rather than that of capture filters) to be applied before printing a decoded form of packets or writing packets to a file.

Because of bash, you have also to escape the display filter with single quotes:

tshark -Y 'frame.time >= "2017-07-11 13:37:07" && frame.time <= "2017-07-11 13:37:11"'
1
votes

Ahhh now I've found the solution to my question!!

Replacing the tshark filter "frame.time" through "frame.time_epoch" and for example "2017-07-11 13:37:10" through "1499773030.999955000" causes the packet to be filtered out. :)))