tshark filters in Centos 7
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
I am working on some tshark filters , need to split a pcap on timebasis for particular SIP and DIP, I have tried editcap but it can go with time basis only I cannot pass IPADDRESS to editcap, I saw tshark can do this
[root@ids01 snort-1]# tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "" Feb 17, 2018 16:00:00"") && (frame.time <= ""Feb 17, 2018 16:01:00"") && ip.addr==192.0.0.7"Please see bold one for error what is the issue with filters , I am using centos 7.
tshark: "17" was unexpected in this context
command-line quoting wireshark tshark
add a comment |Â
up vote
0
down vote
favorite
I am working on some tshark filters , need to split a pcap on timebasis for particular SIP and DIP, I have tried editcap but it can go with time basis only I cannot pass IPADDRESS to editcap, I saw tshark can do this
[root@ids01 snort-1]# tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "" Feb 17, 2018 16:00:00"") && (frame.time <= ""Feb 17, 2018 16:01:00"") && ip.addr==192.0.0.7"Please see bold one for error what is the issue with filters , I am using centos 7.
tshark: "17" was unexpected in this context
command-line quoting wireshark tshark
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I am working on some tshark filters , need to split a pcap on timebasis for particular SIP and DIP, I have tried editcap but it can go with time basis only I cannot pass IPADDRESS to editcap, I saw tshark can do this
[root@ids01 snort-1]# tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "" Feb 17, 2018 16:00:00"") && (frame.time <= ""Feb 17, 2018 16:01:00"") && ip.addr==192.0.0.7"Please see bold one for error what is the issue with filters , I am using centos 7.
tshark: "17" was unexpected in this context
command-line quoting wireshark tshark
I am working on some tshark filters , need to split a pcap on timebasis for particular SIP and DIP, I have tried editcap but it can go with time basis only I cannot pass IPADDRESS to editcap, I saw tshark can do this
[root@ids01 snort-1]# tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "" Feb 17, 2018 16:00:00"") && (frame.time <= ""Feb 17, 2018 16:01:00"") && ip.addr==192.0.0.7"Please see bold one for error what is the issue with filters , I am using centos 7.
tshark: "17" was unexpected in this context
command-line quoting wireshark tshark
asked Feb 17 at 7:38
chandu
1406
1406
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
1
down vote
accepted
The problem is with usage of quotes, you need backslash to preserve double quote of the filter, try this:
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y '(frame.time >= "Feb 17, 2018 16:00:00") && (frame.time <= "Feb 17, 2018 16:01:00") && ip.addr==192.0.0.7'
or this which also permits to use variables instead of hard coded time values - for example inside a script:
dbeg="Feb 17, 2018 16:00:00"
dend="Feb 17, 2018 16:01:00"
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "$dbeg") && (frame.time <= "$dend") && ip.addr==192.0.0.7"
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
1
down vote
accepted
The problem is with usage of quotes, you need backslash to preserve double quote of the filter, try this:
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y '(frame.time >= "Feb 17, 2018 16:00:00") && (frame.time <= "Feb 17, 2018 16:01:00") && ip.addr==192.0.0.7'
or this which also permits to use variables instead of hard coded time values - for example inside a script:
dbeg="Feb 17, 2018 16:00:00"
dend="Feb 17, 2018 16:01:00"
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "$dbeg") && (frame.time <= "$dend") && ip.addr==192.0.0.7"
add a comment |Â
up vote
1
down vote
accepted
The problem is with usage of quotes, you need backslash to preserve double quote of the filter, try this:
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y '(frame.time >= "Feb 17, 2018 16:00:00") && (frame.time <= "Feb 17, 2018 16:01:00") && ip.addr==192.0.0.7'
or this which also permits to use variables instead of hard coded time values - for example inside a script:
dbeg="Feb 17, 2018 16:00:00"
dend="Feb 17, 2018 16:01:00"
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "$dbeg") && (frame.time <= "$dend") && ip.addr==192.0.0.7"
add a comment |Â
up vote
1
down vote
accepted
up vote
1
down vote
accepted
The problem is with usage of quotes, you need backslash to preserve double quote of the filter, try this:
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y '(frame.time >= "Feb 17, 2018 16:00:00") && (frame.time <= "Feb 17, 2018 16:01:00") && ip.addr==192.0.0.7'
or this which also permits to use variables instead of hard coded time values - for example inside a script:
dbeg="Feb 17, 2018 16:00:00"
dend="Feb 17, 2018 16:01:00"
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "$dbeg") && (frame.time <= "$dend") && ip.addr==192.0.0.7"
The problem is with usage of quotes, you need backslash to preserve double quote of the filter, try this:
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y '(frame.time >= "Feb 17, 2018 16:00:00") && (frame.time <= "Feb 17, 2018 16:01:00") && ip.addr==192.0.0.7'
or this which also permits to use variables instead of hard coded time values - for example inside a script:
dbeg="Feb 17, 2018 16:00:00"
dend="Feb 17, 2018 16:01:00"
tshark -r snort.log.1518688921 -w /tmp/pcap_tshark.pcap -Y "(frame.time >= "$dbeg") && (frame.time <= "$dend") && ip.addr==192.0.0.7"
answered Feb 17 at 9:10
tonioc
1,11457
1,11457
add a comment |Â
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f424732%2ftshark-filters-in-centos-7%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password