Re: tsahark command string no longer working

[Jakub Zawadzki <darkjames-ws () darkjames pl>]

Hi,

On Mon, Apr 02, 2012 at 03:25:09PM +0200, Anders Broman wrote:
> This tshark command string used to work but now it gives an error, ideas?
>
> ./tshark -i eth1 -w /tmp/httpoam.log -n -f "(net 10.80.34.96/27 or net 10.80.34.0/27) and port 80" -N mtC -z 
> proto,colinfo,http.request.method,http.request.method -z proto,colinfo,http.response.code,http.response.code -S -a 
> duration:6
>
> tshark: A capture filter was specified both with "-f" and with additional command-line arguments

  -S <separator>           the line separator to print between packets

It assumes that -a is separator, and 'duration:6' is "additional" filter?

r39168[1] is probably culprit:
        Add a new tshark option for being able to specify an alternate line
        separator between packets.  The option chosen was "-S <separator>".
        The former -S option was renamed to -P, and the former -P option,
        which was previously undocumented, was renamed to -2. 

So you probably want:
 $ tshark -i eth0 -w /tmp/httpoam.log -n -f "(net 10.80.34.96/27 or net 10.80.34.0/27) and port 80" \
       -N mtC -z proto,colinfo,http.request.method,http.request.method \
           -z proto,colinfo,http.response.code,http.response.code -P -a duration:6

hth.

[1] http://anonsvn.wireshark.org/viewvc?view=revision&revision=39168
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe