Using tshark to get message from TCP RESET

asked 2020-12-06 18:59:46 +0000

moraist
9 ●2 ●7 ●8

updated 2020-12-06 19:37:53 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●950 ●227 https://www.wireshark.org

How I can get the message from payload using the tshark? For example, the message below is showing "Message: Connection reset (RST)"

Transmission Control Protocol, Src Port: http (80), Dst Port: norton-lambert (2338), Seq: 1406431331, Len: 0
    Source port: http (80)
    Destination port: norton-lambert (2338)
    [Stream index: 3]
    Sequence number: 1406431331
    Header length: 20 bytes
    Flags: 0x004 (RST)
        000. .... .... = Reserved: Not set
        ...0 .... .... = Nonce: Not set
        .... 0... .... = Congestion Window Reduced (CWR): Not set
        .... .0.. .... = ECN-Echo: Not set
        .... ..0. .... = Urgent: Not set
        .... ...0 .... = Acknowledgment: Not set
        .... .... 0... = Push: Not set
        .... .... .1.. = Reset: Set
            [Expert Info (Chat/Sequence): Connection reset (RST)]
                **[Message: Connection reset (RST)]**
                [Severity level: Chat]
                [Group: Sequence]
        .... .... ..0. = Syn: Not set
        .... .... ...0 = Fin: Not set

answered 2020-12-06 19:18:35 +0000

Chuckc
2858 ●5 ●568 ●19

updated 2020-12-06 19:23:16 +0000

That's part of the Expert Info fields. (Man page here)

$ tshark -r ./ultpcap2.pcapng -T fields -e _ws.expert.message -Y _ws.expert.message
Connection establish request (SYN): server port 80
Connection establish acknowledge (SYN+ACK): server port 80
GET / HTTP/1.1\r\n
HTTP/1.1 200 OK\r\n
Connection finish (FIN)
<snip>

Filter on the field name (-Y _ws.expert.message) to not print blank lines for frames that's don't contain Expert Info.

Or filter on contents of the Expert Info message:

$ tshark -r ./ultpcap2.pcapng -T fields -e frame.number -e _ws.expert.message -Y "_ws.expert.message contains \"RST\""
4440    Connection reset (RST)
4441    Connection reset (RST)
4442    Connection reset (RST)
4443    Connection reset (RST)

edit flag offensive delete link

Comments

I am getting an error message when I try to apply the filter.

tshark -nr test.pcap -T fields -e frame.number -e _ws.expert.message -Y "_ws.expert.message contains \"RST\""
tshark: Neither "_ws.expert.message" nor "RST" are field or protocol names.

moraist ( 2020-12-06 21:02:20 +0000 )edit

What is output from tshark -v

Chuckc ( 2020-12-06 21:17:25 +0000 )edit

TShark 1.10.14 (Git Rev Unknown from unknown)

Copyright 1998-2015 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.50.3, with libpcap, with libz 1.2.7, with POSIX capabilities (Linux), without libnl, with SMI 0.4.8, with c-ares 1.10.0, with Lua 5.1, without Python, with GnuTLS 3.3.24, with Gcrypt 1.5.3, with MIT Kerberos, without GeoIP.

Running on Linux 3.10.0-693.5.2.el7.x86_64, with locale en_US.UTF-8, with libpcap version 1.8.1, with libz 1.2.7. Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz

Built using gcc 4.8.5 20150623 (Red Hat 4.8.5-14).

moraist ( 2020-12-06 21:19:08 +0000 )edit

Is it possible to upgrade? The _ws.expert fields were not added until 1.12.0

Versions: 1.12.0 to 3.4.0

Chuckc ( 2020-12-06 21:26:55 +0000 )edit

Sure, I'll do that.

moraist ( 2020-12-06 21:30:18 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Using tshark to get message from TCP RESET

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Using tshark to get message from TCP RESET edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

Using tshark to get message from TCP RESET