Hello All I am writing a scripts to filter procedure with protocol field, when i tried to filter the capture with vlan packet its throwing an error message "tshark: Neither "eth.vlan.tpid" nor "0x8100" are field or protocol names." Can any one help to find the proper filter name for vlan(priority) packet on Debian
root@ZBF-PWE2:/home/oauser# sudo tshark -r monitor.pcap1 -w monitor_test.pcap -R "(ip.src == 40.40.40.2) && (ip.dsfield.dscp == 0x05)" Running as user "root" and group "root". This could be dangerous. root@ZBF-PWE2:/home/oauser# tshark -r monitor_test.pcap Running as user "root" and group "root". This could be dangerous. 1 0.000000 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] 2 1.000375 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] 3 2.000716 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] 4 3.002074 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] 5 3.010134 Intel_a5:8c:39 -> Intel_a5:8c:7a ARP [Packet size limited during capture] 6 4.003436 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] 7 5.004796 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] 8 6.006171 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] 9 7.007515 Intel_a5:8c:39 -> Intel_a5:8c:7a IP [Packet size limited during capture] root@ZBF-PWE2:/home/oauser# sudo tshark -r monitor.pcap1 -w monitor_test.pcap -R "(ip.src == 40.40.40.2) && (eth.vlan.pri == 0)" tshark: Neither "eth.vlan.pri" nor "0" are field or protocol names. root@ZBF-PWE2:/home/oauser# sudo tshark -r monitor.pcap1 -w monitor_test.pcap -R "(eth.vlan.tpid == 0x8100) && (eth.vlan.pri == 0)" tshark: Neither "eth.vlan.tpid" nor "0x8100" are field or protocol names. root@ZBF-PWE2:/home/oauser# ^C root@ZBF-PWE2:/home/oauser# tshark -v TShark 1.4.6 Copyright 1998-2011 Gerald Combs <ger...@wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (32-bit) with GLib 2.28.6, with libpcap 1.1.1, with libz 1.2.3.4, with POSIX capabilities (Linux), without libpcre, with SMI 0.4.8, with c-ares 1.7.4, with Lua 5.1, without Python, with GnuTLS 2.10.5, with Gcrypt 1.4.6, with MIT Kerberos, with GeoIP. Running on Linux 2.6.32-5-686, with libpcap version 1.1.1, with libz 1.2.3.4. Built using gcc 4.5.2. root@ZBF-PWE2:/home/oauser# -- Muhammad Fahad.k +919844164764 +919663385645 "Knowledge is not what is memorised. Knowledge is what benefits."
