1

tshark get data from interface or pcap files. When it read data from interface, user has to write filter with -f (accortding to pcap-filter(7)) and when read from file user has to write filter with -Y (according to wireshark-filter(4))

My scenario:

I have to read pcap files, So I have to use wireshark-filter syntax.
I have src address, dst address, src port and dst port. But I don't know type of session(TCP or UDP). wireshark syntax has the following options for port:

tcp.dstport
tcp.srcport 
udp.dstport
udp.srcport
tcp.port 
udp.port

I don't know my packets are TCP or UDP, and I need to write filter according to dst port and src port.

How to implement with tshark and -Y?

Improve this question

1 Answer 1

Reset to default
0

You can build a display filter (-Y option) using an or logical operator to take count of UDP and TCP packets.

For example:

udp.srcport=8899 or tcp.srcport=8899 or udp.dstport==7788 or tcp.dstport==7788
Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.