Ask Your Question

What would cause tshark's ip.len to show some results with commas?

asked 2022-10-10 03:12:52 +0000

Is there a reason why some results have commas from tshark's ip.len? I'm using "tshark -nr file.pcap -T fields -e ip.len" for the command.

Some examples:






The examples above represent only 3% of the total results where a comma could be expected (4 digits or more), the other 97% do not have commas.

Seeing that's the case, I would not expect to see any commas, hence my question as to why some results have commas.

edit retag flag offensive close merge delete


For any given capture in which you see this:

  1. How many packets have a comma in ip.len?
  2. How many packets have more than one IP header because the IP payload itself contains a full IP packet?
Guy Harris gravatar imageGuy Harris ( 2022-10-10 05:59:37 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2022-10-11 12:23:22 +0000

SYN-bit gravatar image

The most probable cause would be that those packets have multiple IP layers (like an ICMP destination unreachable packet had part of the original packet as ICMP payload). Can you try tshark -nr file.pcap -T fields -e ip.proto -e ip.src -e ip.dst -e ip.len to get a little more info on those packets?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2022-10-10 03:12:52 +0000

Seen: 86 times

Last updated: Oct 11 '22