Ask Your Question
0

How to specify that tshark shows packets' protocol at transport layer not application layer?

asked 2019-10-03 13:40:51 +0000

Zahra gravatar image

Hi,

I want to make decision on packet based on their transport layer protocol (Whether it is TCP or UDP). Now I do it by checking whether the tcp.srcport is set or not. How can I change the protocols layer shown in _ws.col.Protocol to transport layer instead of application layer in the output of the following command?

tshark -r  capture.pcap  -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e frame.len -e _ws.col.Protocol -E header=y -E quote=d -E occurrence=f > capture.csv

According to tshark manpage, It seems that -j or -J option do something similar to what I needed, but I couldn't find such example.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-10-03 14:23:16 +0000

Chuckc gravatar image

updated 2019-10-03 14:31:09 +0000

Can you do it with the ip.proto field?

Or disable the dissectors for the application layers: (ignore ref to data.data for your use) https://ask.wireshark.org/question/11...

Brute force might be to have a profile with all protocols disabled except ethernet, ipv4, ipv6?, tcp and udp. Use "-C" to specify the profile to load and print the data.data field.

tshark -r .\http-riverbed-one.pcapng -C data_data -e "data.data" -Tfields -Y data.data > tmp.fil

edit flag offensive delete link more

Comments

Thanks, ip.proto works in my case.

Zahra gravatar imageZahra ( 2019-10-03 14:35:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-03 13:40:51 +0000

Seen: 869 times

Last updated: Oct 03 '19