Ask Your Question

How to specify that tshark shows packets' protocol at transport layer not application layer?

asked 2019-10-03 13:40:51 +0000

Zahra gravatar image


I want to make decision on packet based on their transport layer protocol (Whether it is TCP or UDP). Now I do it by checking whether the tcp.srcport is set or not. How can I change the protocols layer shown in _ws.col.Protocol to transport layer instead of application layer in the output of the following command?

tshark -r  capture.pcap  -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e frame.len -e _ws.col.Protocol -E header=y -E quote=d -E occurrence=f > capture.csv

According to tshark manpage, It seems that -j or -J option do something similar to what I needed, but I couldn't find such example.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-10-03 14:23:16 +0000

Chuckc gravatar image

updated 2019-10-03 14:31:09 +0000

Can you do it with the ip.proto field?

Or disable the dissectors for the application layers: (ignore ref to for your use)

Brute force might be to have a profile with all protocols disabled except ethernet, ipv4, ipv6?, tcp and udp. Use "-C" to specify the profile to load and print the field.

tshark -r .\http-riverbed-one.pcapng -C data_data -e "" -Tfields -Y > tmp.fil

edit flag offensive delete link more


Thanks, ip.proto works in my case.

Zahra gravatar imageZahra ( 2019-10-03 14:35:53 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-10-03 13:40:51 +0000

Seen: 791 times

Last updated: Oct 03 '19