Ask Your Question
0

How to print out the TCP and IP Headers for one of the filtered messages?

asked 2020-12-13 20:32:46 +0000

So i'm looking to print out just the TCP and IP headers of one of my captures messages? How do I do this?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2020-12-13 21:35:23 +0000

Chuckc gravatar image

Are you open to using tshark ?
Protocols that are not ip or tcp (like Frame and Ethernet below) will display a summary line.
Adding the -Y "ip or tcp" to the end only prints information for frames that contain ip or tcp.
This then excludes protocols like IPv6 and ARP.

$ tshark -r ./ultpcap2.pcapng -O ip,tcp -Y "ip or tcp"

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{F82D62D9-30A1-4A71-8A8B-
6CEE19B19DDB}, id 6
Ethernet II, Src: 00:0c:29:9d:c9:d6, Dst: 00:19:e2:a1:f9:86
Internet Protocol Version 4, Src: 192.168.110.10, Dst: 80.237.133.136
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 52
    Identification: 0x104d (4173)
    Flags: 0x40, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.110.10
    Destination Address: 80.237.133.136
Transmission Control Protocol, Src Port: 1152, Dst Port: 80, Seq: 0, Len: 0
    Source Port: 1152
    Destination Port: 80
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 3184959687
    [Next Sequence Number: 1    (relative sequence number)]
<snip>
edit flag offensive delete link more

Comments

""for one of the filtered messages" - for only one frame, filter on frame.number

$ tshark -r ./ultpcap2.pcapng  -O ip,tcp -Y frame.number==20

Frame 20: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{F82D62D9-30A1-4A71-8A8B
-6CEE19B19DDB}, id 6
Ethernet II, Src: 00:0c:29:9d:c9:d6, Dst: 00:19:e2:a1:f9:86
Internet Protocol Version 4, Src: 192.168.110.10, Dst: 212.144.254.123
    0100 .... = Version: 4
<snip>
Chuckc gravatar imageChuckc ( 2020-12-13 21:49:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2020-12-13 20:32:46 +0000

Seen: 38 times

Last updated: Dec 13 '20