Ask Your Question
0

What would cause tshark's ip.len to show some results with commas?

asked 2022-10-10 03:12:52 +0000

Is there a reason why some results have commas from tshark's ip.len? I'm using "tshark -nr file.pcap -T fields -e ip.len" for the command.

Some examples:

92,64

91,63

112,95

5,761,612

112,133

The examples above represent only 3% of the total results where a comma could be expected (4 digits or more), the other 97% do not have commas.

Seeing that's the case, I would not expect to see any commas, hence my question as to why some results have commas.

edit retag flag offensive close merge delete

Comments

For any given capture in which you see this:

  1. How many packets have a comma in ip.len?
  2. How many packets have more than one IP header because the IP payload itself contains a full IP packet?
Guy Harris gravatar imageGuy Harris ( 2022-10-10 05:59:37 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-10-11 12:23:22 +0000

SYN-bit gravatar image

The most probable cause would be that those packets have multiple IP layers (like an ICMP destination unreachable packet had part of the original packet as ICMP payload). Can you try tshark -nr file.pcap -T fields -e ip.proto -e ip.src -e ip.dst -e ip.len to get a little more info on those packets?

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2022-10-10 03:12:52 +0000

Seen: 101 times

Last updated: Oct 11 '22