Ask Your Question
0

What would cause tshark's ip.len to show some results with commas?

asked 2022-10-10 03:12:52 +0000

proto_analyzer gravatar image

Is there a reason why some results have commas from tshark's ip.len? I'm using "tshark -nr file.pcap -T fields -e ip.len" for the command.

Some examples:

92,64

91,63

112,95

5,761,612

112,133

The examples above represent only 3% of the total results where a comma could be expected (4 digits or more), the other 97% do not have commas.

Seeing that's the case, I would not expect to see any commas, hence my question as to why some results have commas.

edit retag flag offensive close merge delete

Comments

For any given capture in which you see this:

  1. How many packets have a comma in ip.len?
  2. How many packets have more than one IP header because the IP payload itself contains a full IP packet?
Guy Harris gravatar imageGuy Harris ( 2022-10-10 05:59:37 +0000 )edit
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-10-11 12:23:22 +0000

SYN-bit gravatar image

The most probable cause would be that those packets have multiple IP layers (like an ICMP destination unreachable packet had part of the original packet as ICMP payload). Can you try tshark -nr file.pcap -T fields -e ip.proto -e ip.src -e ip.dst -e ip.len to get a little more info on those packets?

edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2022-10-10 03:12:52 +0000

Seen: 74 times

Last updated: Oct 11 '22

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2