Ask Your Question

Disabling all protocols above TCP in tshark

asked 2020-05-15 06:58:24 +0000

gilnaa gravatar image

updated 2020-05-15 07:01:56 +0000


I'm using tshark to analyze some TCP that has no specified protocol, and am using the following filters:

not _ws.malformed and tcp and not tcp.analysis.retransmission and not tcp.analysis.fast_retransmission

I saw that some packets are missing from the stream, and after some investigation, I found out that *shark thinks that this packet (or stream) is IRC for some reason (EDIT: It is because of the port number), and that the missing packets are malformed.

I know for certain that this stream does not contain IRC (it is the output of hexdump piped into nc)

How can I tell tshark to not decode any protocol above TCP? Alternatively, is there another way to check for malformed packets, but with regards to TCP or lower layers only?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2020-05-15 14:58:24 +0000

Chuckc gravatar image

updated 2020-05-15 14:58:34 +0000

You could do it with a custom profile that disables everything but the lower levels.
Some ideas here

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2020-05-15 06:58:24 +0000

Seen: 529 times

Last updated: May 15 '20