A pcap filter? You mean a capture file? The pcap/capture filter syntax does not provide a 'contains' keyword, so it's not possible. You can only use 'contains' in the display filter syntax, which is unique to wireshark (and tshark, etc.)
--gilbert
On 7/2/07, Amit Paliwal <Amit.Paliwal@xxxxxxxxxxxxxxx> wrote:
yes i am using 'contains' keyword, and
i am giving name of my protocol which is a string.....
i am running it on Windows and i used
'udp contains my_protocol' also but its not working.......
i need to give filter expressions defined
by pcap, but i am not getting any documentation of it.
You're really using the "contains" keyword?
That's for strings and
binary strings.
The spaces in your filter are probably confusing the shell when you
invoke wireshark/tshark from the command-line. Are you running on
Unix? Use single quotes around your filter:
tshark ............ 'udp contains xxx'
--gilbert
On 7/2/07, Amit Paliwal <Amit.Paliwal@xxxxxxxxxxxxxxx> wrote:
>
> I want to set command line filter _expression_ for proprietary protocol
that
> is registered over UDP by its name. I am able to do it directly in
Wireshark
> GUI by setting the _expression_ as "UDP contains my_protocol",
but I need to
> do the same from command line that I am unable to do right now.
>
> Please suggest.
>
> Regards,
>
> ______________________________________________________________________
>
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
>
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
______________________________________________________________________
______________________________________________________________________
_______________________________________________
Wireshark-dev mailing list
Wireshark-dev@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-dev
