Wireshark · Wireshark-users: Re: [Wireshark-users] absolute frame number in capture with -R ?

Wireshark-users: Re: [Wireshark-users] absolute frame number in capture with -R ?

Date: Mon, 28 Apr 2014 07:39:53 -0400

On Mon, Apr 28, 2014 at 1:29 AM, Mathias Koerber <mathias@xxxxxxxxxxx> wrote:
>
> I have a rather large pcap file I am trying to extract
> relevant frames from using tshark.
>
> using
>
> # tshark -2 -n -r infile -R '(filter)' -T fields -e frame.number
>
> yields frame-numbers starting from 1 anr continuously increasing.
> So apparently this counts the frames that matched the display filter.
>
> I would like to print the actual frame-number from the input file,
> so that I can later find the frames in their original context.
>
> How to do that?

If you're using tshark 1.10 or later, use the -Y 'filter' flag instead
of -R 'filter'.

Evan

References:
- [Wireshark-users] absolute frame number in capture with -R ?
  - From: Mathias Koerber

Prev by Date: [Wireshark-users] absolute frame number in capture with -R ?
Next by Date: [Wireshark-users] Gigasmart trailer
Previous by thread: [Wireshark-users] absolute frame number in capture with -R ?
Next by thread: [Wireshark-users] Gigasmart trailer
Index(es):
- Date
- Thread