 | 1 | initial version |
(example capture is sctp-www.cap from the Wireshark Wiki Sample Captures)
By default, tshark (man page) makes a single pass through the capture so it can see the current packet and into the past.
$ tshark -r ./sctp-www.cap -Y http -T fields -e frame.number -e http.request_in 5 7 5 16 21 22 21 27 29 27 50 65 68
Output can be limited to only frames that contain the fields we're interest in:
$ tshark -r ./sctp-www.cap -Y http.request_in -T fields -e frame.number -e http.request_in 7 5 22 21 29 27
To look into the future, tshark needs to make two passes through the capture file:
-2 Perform a two-pass analysis. This causes tshark to buffer output until the entire first pass is done, but allows it to fill in fields that require future knowledge, such as 'response in frame #' fields. Also permits reassembly frame dependencies to be calculated correctly.
Single pass
$ tshark -r ./sctp-www.cap -Y http.next_request_in -T fields -e frame.number -e http.next_request_in $
Add -2 option for two-pass processing
$ tshark -2 -r ./sctp-www.cap -Y http.next_request_in -T fields -e frame.number -e http.next_request_in 5 21 7 21
