Wireshark-bugs: [Wireshark-bugs] [Bug 11556] New: TShark does not display all packets even when
Date: Wed, 30 Sep 2015 06:26:33 +0000
Bug ID 11556
Summary TShark does not display all packets even when they match a given read filter
Product Wireshark
Version 1.12.2
Hardware x86
OS Ubuntu
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee bugzilla-admin@wireshark.org
Reporter gangarmihir90@gmail.com

Created attachment 13893 [details]
Capture file used for the example mentioned in description

Build Information:
TShark 1.12.2 (Git Rev Unknown from unknown)

Copyright 1998-2014 Gerald Combs <gerald@wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (32-bit) with GLib 2.34.0, with libpcap, with libz 1.2.3, without
POSIX
capabilities, without libnl, without SMI, without c-ares, without ADNS, without
Lua, without Python, without GnuTLS, with Gcrypt 1.4.6, with MIT Kerberos,
without GeoIP.

Running on Linux 3.8.0-19-generic, with locale en_US.UTF-8, with libpcap
version
1.5.3, with libz 1.2.7.

Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-55).
--
While trying to read packets from a capture file using read filter (-R) and
"-2" option, I see that packets that exist and actually match the filter do not
get displayed.

1) This filter does not display any packets
$tshark -r tshark123.cap -n -d udp.port==9999,cflow  -T fields -e cflow.srcaddr
-R "ip.src="" && cflow.srcaddr==192.168.104.113" -
2
$

2) This proves the packets actually match the filter.
$tshark -r tshark123.cap -n -d udp.port==9999,cflow  -T fields -e cflow.srcaddr
-R "ip.src="" -2 | grep 192.168.104.113
192.168.104.113
192.168.104.113
$

3) This again does not display any packets.
$tshark -r tshark123.cap -n -d udp.port==9999,cflow  -T fields -e cflow.srcaddr
-Y "ip.src="" && cflow.srcaddr==192.168.104.113"
$

4) Using -Y with -2 matches the packets.
$tshark -r tshark123.cap -n -d udp.port==9999,cflow  -T fields -e cflow.srcaddr
-Y "ip.src="" && cflow.srcaddr==192.168.104.113" -2
192.168.104.113
192.168.104.113
$


You are receiving this mail because:
  • You are watching all bug changes.