Different results in Wireshark and Tshark for the same PCAP file

asked 2020-02-27 04:28:20 +0000

XX gravatar image

Hello. I am running Wireshark and Tshark (both of version 2.6.10) on Ubuntu (18.04.4). I loaded the same PCAP file on both of them, and applied the same display filter on both. However, the number of displayed packets is different. What could be the reason?

Thank you.

edit retag flag offensive close merge delete

Comments

What happens if you:

  • run TShark with -R and the filter;
  • run TShark with -Y and the filter (and without -R);
  • run TShark with -2, and -Y and the filter (again, without -R)?
Guy Harris gravatar imageGuy Harris ( 2020-02-27 04:51:45 +0000 )edit
  1. run TShark with -R and the filter; It showed "-R without -2 is deprecated". So I tried -R with -2. Same issue
  2. run TShark with -Y and the filter (and without -R); That is actually what I am using. Same issue
  3. run TShark with -2, and -Y and the filter (again, without -R)? Still same issue
XX gravatar imageXX ( 2020-02-27 06:21:20 +0000 )edit

Are you using the Default profile in Wireshark when working with the PCAP file?

Tshark uses the Default profile if the -C <config profile=""> option is NOT used. Wireshark uses the last last used profile if the -C <config profile=""> option is NOT used.

Jim Young gravatar imageJim Young ( 2020-03-07 21:08:16 +0000 )edit
add a comment