Ask Your Question
0

Disabling "Analyze TCP sequence numbers" in tshark

asked 2021-12-21 22:14:04 +0000

Finbit gravatar image

I'm trying to parse the output of tshark when reading in a pcap file.

I can do this just fine in some pcaps, but if a pcap has some suspected out of order frames, then the payload is not dumped once the tcp analysis detects a problem.

This is solved in wirshark by disabling "Analyze TCP sequence numbers" in the TCP preferences. How do I do the same for tshark when reading a pcap file?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
3

answered 2021-12-22 00:54:45 +0000

SYN-bit gravatar image

You can use the -o command line argument in tshark to change preference settings. So in this case the following command will do the trick:

tshark -o tcp.analyze_sequence_numbers:FALSE -r file.pcapng

If you want to get all the preference names, you can use tshark -G currentprefs.

I often use egrep to extract settings for just one protocol, like this:

$ tshark -G currentprefs | egrep "^#?tcp."
#tcp.summary_in_tree: TRUE
#tcp.check_checksum: FALSE
#tcp.desegment_tcp_streams: TRUE
#tcp.reassemble_out_of_order: FALSE
#tcp.analyze_sequence_numbers: TRUE
#tcp.relative_sequence_numbers: TRUE
#tcp.default_window_scaling: Not known
#tcp.track_bytes_in_flight: TRUE
#tcp.calculate_timestamps: TRUE
#tcp.try_heuristic_first: FALSE
#tcp.ignore_tcp_timestamps: FALSE
#tcp.no_subdissector_on_error: TRUE
#tcp.dissect_experimental_options_with_magic: TRUE
#tcp.display_process_info_from_ipfix: FALSE
#tcpros.desegment_tcpros_messages: TRUE
$
edit flag offensive delete link more

Comments

Thank you very much! This works perfectly!

Finbit gravatar imageFinbit ( 2021-12-22 03:05:10 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2021-12-21 22:14:04 +0000

Seen: 569 times

Last updated: Dec 22 '21

Related questions

Is it possible to disable all TCP expert information in tshark when outputting JSON?

Why there is port mismatch in tcp and http header for port 51006. Also why the netstat in server do not shows connections under port 51006 even traffic is coming to this port.

Client is waiting for FIN flag from server for 30 sec

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

follow tcp stream dialogue box

How to tell if TCP segment contains a data in Wireshark?

Help to read this trace

Using tshark filters to extract only interesting traffic from 12GB trace

Random Flooding of TCP Retransmissions