Are you open to using tshark ?
Protocols that are not ip or tcp (like Frame and Ethernet below) will display a summary line.
Adding the -Y "ip or tcp" to the end only prints information for frames that contain ip or tcp.
This then excludes protocols like IPv6 and ARP.
$ tshark -r ./ultpcap2.pcapng -O ip,tcp -Y "ip or tcp"
Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{F82D62D9-30A1-4A71-8A8B-
6CEE19B19DDB}, id 6
Ethernet II, Src: 00:0c:29:9d:c9:d6, Dst: 00:19:e2:a1:f9:86
Internet Protocol Version 4, Src: 192.168.110.10, Dst: 80.237.133.136
0100 .... = Version: 4
.... 0101 = Header Length: 20 bytes (5)
Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
0000 00.. = Differentiated Services Codepoint: Default (0)
.... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
Total Length: 52
Identification: 0x104d (4173)
Flags: 0x40, Don't fragment
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment Offset: 0
Time to Live: 128
Protocol: TCP (6)
Header Checksum: 0x0000 [validation disabled]
[Header checksum status: Unverified]
Source Address: 192.168.110.10
Destination Address: 80.237.133.136
Transmission Control Protocol, Src Port: 1152, Dst Port: 80, Seq: 0, Len: 0
Source Port: 1152
Destination Port: 80
[Stream index: 0]
[TCP Segment Len: 0]
Sequence Number: 0 (relative sequence number)
Sequence Number (raw): 3184959687
[Next Sequence Number: 1 (relative sequence number)]
<snip>
""for one of the filtered messages" - for only one frame, filter on frame.number
$ tshark -r ./ultpcap2.pcapng -O ip,tcp -Y frame.number==20
Frame 20: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{F82D62D9-30A1-4A71-8A8B
-6CEE19B19DDB}, id 6
Ethernet II, Src: 00:0c:29:9d:c9:d6, Dst: 00:19:e2:a1:f9:86
Internet Protocol Version 4, Src: 192.168.110.10, Dst: 212.144.254.123
0100 .... = Version: 4
<snip>
Asked: 2020-12-13 20:32:46 +0000
Seen: 491 times
Last updated: Dec 13 '20
