 | 1 | initial version |
In general, if a field is found multiple times in a packet, it is displayed as a list. The same applies when added as a column in Wireshark. For example:
tshark -r file.pcapng -T fields -e ip.addr -Y ip
Will normally show 2 IP4-addresses (src + dst) as a comma-seperated list. Comma is the default, that can be changed with the option -E aggregator.
So if ip.ttl outputs multiple values it occurs multiple times. for example a ICMP packet.