tshark cannot filter on SIP DNS OR DIAMETER messages

This issue was migrated from bug 4038 in our old bug tracker.

Original bug information:

Reporter: Kalpesh Katwala
Status: RESOLVED DUPLICATE
Product: Wireshark
Component: TShark
OS: Linux
Platform: Other
Version: 1.0.8

Duplicate of issue #2234

Kalpesh Katwala said:

Build Information: TShark 1.0.8

Copyright 1998-2009 Gerald Combs <gerald@‍wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX capabilities, with libpcre 6.6, with SMI 0.4.5,without ADNS, without Lua, with GnuTLS 1.4.1, with Gcrypt 1.2.4, with MIT Kerberos.

Running on Linux 2.6.18-164.e15, with libpcap version 0.9.4.

Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-44).

I'm trying to use tshark.  This filter works well in version 0.99.4

% tshark -f <have a long string of IP's> -F libpcap -w Trace -a duration:30 -R "sip || dns || diameter"

This captures ALL the messages including the SIP/DNS/DIAMETER in addition to SCTP/M3UA/HSRP/TCP...

How do I select the Display filter to be ONLY SIP, DNS & DIAMETER?

thank you,
Kalpesh.

added clitshark oslinux version1.0 labels

Jeff Morriss said:

The problem is that display filters ("-R") don't work in tshark when using -w.

*** This bug has been marked as a duplicate of bug #2234 ***

closed