Wireshark-users: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark
From: Mitsuho Iizuka <m-iizuka@xxxxxxxxxxxxx>
Date: Thu, 28 Jun 2007 17:40:15 +0900 (JST)
Hi,

From: Sake Blok <sake@xxxxxxxxxx>
Subject: Re: [Wireshark-users] how to drop 400 unwanted packets to analyze with wireshark ?
Date: Thu, 28 Jun 2007 10:20:17 +0200

> Healthchecks doen by LB's are usually done from their own IP-address
> while production traffic is either from the client-ip or the NATted
> address, which is usually different from the address that the health
> checks are sent from. But... this varies per LB-brand. If they
> are different, you can filter on the ip-addresses. Please note
> that you can use a filter like "!ip.addr==<ip-healtchchecks>"

Ummm ...I'm fool...
Yes, Those are only 4 IPs. I will do it.

> Exactly, editcap just takes frame-numbers or times as filters. But you
> can use tshark for your purpose like this:
> 
> tshark -r <in-file> -w <out-file> -R "<display-filter of frames you want to keep>"
> 
> If you have a complex filter and you are using tshark from unix (or cygwin),
> you could have the filter in a file and do:
> 
> tshark -r <in-file> -w <out-file> -R "`cat <filter-file>`"

Can tshark -R accept ``. It is new to me. Just for my understanding,
are there any limitation ? Such as shell command line
length limitation.

I have been looking for the tool can handle complex display filter.
I know Ethereal has a IDL extention according to their site.

How about WireShark ?

Regards,
// Mitsuho Iizuka
// AP Server Grp., 2nd System Software Div.,
// System Software Opr.Unit, IT Platform Biz.Unit, NEC Corp.
// Phone:+81-3-3456-4322