 | 1 | initial version |
As Anders' comment suggested, there is a preference setting tcp.reassemble_out_of_orderthat defaults to False on installation. The preference file is modified by the wireshark gui, this caused my windows cmd tshark to reassemble the out-of-order segments, as I ticked it when I was reading the file on the gui.
In linux tshark (without a gui in my case) however you need to overwrite this parameter when running the command like this:
tshark -o tcp.reassemble_out_of_order:TRUE -r ooo.pcap -T fields -e frame.protocols frame.number==650