2-pass filter in Wireshark/tshark

1.3k views Asked by At

The option -Y, -2 and -R in tshark confuse me a long time.

After I read the manual, I know that -Y is used in single-pass filter and -2 in 2-pass filter (in case where we can not get some info until 1st pass filter is over)

But I still can not understand what is the difference between -2 -Y 'blabla' and -2 -R 'balabala' and -2 -Y 'blalal' -R 'blala'

And I also did an experiment that drive me crazy:

tshark -n -r test.pcap -2 -R 'frame.number > 0'
  1   0.000000 10.140.28.17 -> 10.74.68.58  TCP 80 62276 > 8989 [SYN, ECN, CWR] Seq=0 Win=65535 Len=0 MSS=1460 WS=32 TSval=330325315 TSecr=0 SACK_PERM=1
  2   0.000056  10.74.68.58 -> 10.140.28.17 TCP 76 8989 > 62276 [SYN, ACK, ECN] Seq=0 Ack=1 Win=28960 Len=0 MSS=1460 SACK_PERM=1 TSval=2078759468 TSecr=330325315 WS=128
  3   0.000678 10.140.28.17 -> 10.74.68.58  TCP 68 62276 > 8989 [ACK] Seq=1 Ack=1 Win=131744 Len=0 TSval=330325316 TSecr=2078759468
  4   0.000756 10.140.28.17 -> 10.74.68.58  HTTP 158 GET /index.html HTTP/1.1
  5   0.000770  10.74.68.58 -> 10.140.28.17 TCP 68 8989 > 62276 [ACK] Seq=1 Ack=91 Win=29056 Len=0 TSval=2078759468 TSecr=330325316

But when I execute tshark -n -r test.pcap -2 -R 'frame.number > 1', there is nothing printed. How to explain this?

My tshark version is: TShark 1.10.6 (v1.10.6 from master-1.10)

Can you help me with this problem? Thank you in advance!

1

There are 1 answers

1
Christopher Maynard On

I answered this question on http://ask.wireshark.org, but I'll paste my answer here as well in case anyone looks here for an answer instead of there.

-R specifies a read filter, so only matching packets from a file are read and processed; unmatched packets are essentially treated as if the file didn't contain them at all. Contrast this with -Y, which specifies a display filter, so only matching packets are displayed, but all packets are still read and processed.

The problem you're seeing with frame.number is a known bug that was determined not worth fixing long ago. See Bug 380, "wireshark -R doesn't support 'frame.number' as a read filter ".

You can also follow along some of the history behind -R vs. -Y here: