Ask Your Question

Disabling "Analyze TCP sequence numbers" in tshark

asked 2021-12-21 22:14:04 +0000

Finbit gravatar image

I'm trying to parse the output of tshark when reading in a pcap file.

I can do this just fine in some pcaps, but if a pcap has some suspected out of order frames, then the payload is not dumped once the tcp analysis detects a problem.

This is solved in wirshark by disabling "Analyze TCP sequence numbers" in the TCP preferences. How do I do the same for tshark when reading a pcap file?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2021-12-22 00:54:45 +0000

SYN-bit gravatar image

You can use the -o command line argument in tshark to change preference settings. So in this case the following command will do the trick:

tshark -o tcp.analyze_sequence_numbers:FALSE -r file.pcapng

If you want to get all the preference names, you can use tshark -G currentprefs.

I often use egrep to extract settings for just one protocol, like this:

$ tshark -G currentprefs | egrep "^#?tcp."
#tcp.summary_in_tree: TRUE
#tcp.check_checksum: FALSE
#tcp.desegment_tcp_streams: TRUE
#tcp.reassemble_out_of_order: FALSE
#tcp.analyze_sequence_numbers: TRUE
#tcp.relative_sequence_numbers: TRUE
#tcp.default_window_scaling: Not known
#tcp.track_bytes_in_flight: TRUE
#tcp.calculate_timestamps: TRUE
#tcp.try_heuristic_first: FALSE
#tcp.ignore_tcp_timestamps: FALSE
#tcp.no_subdissector_on_error: TRUE
#tcp.dissect_experimental_options_with_magic: TRUE
#tcp.display_process_info_from_ipfix: FALSE
#tcpros.desegment_tcpros_messages: TRUE
edit flag offensive delete link more


Thank you very much! This works perfectly!

Finbit gravatar imageFinbit ( 2021-12-22 03:05:10 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2021-12-21 22:14:04 +0000

Seen: 482 times

Last updated: Dec 22 '21