Ask Your Question
0

tshark: How do I display the absolute frame number?

asked 2018-07-16 21:40:34 +0000

theglossy1 gravatar image

updated 2018-07-16 21:41:15 +0000

Greetings. I want to get a list of all the SNI server_names from the https client hello packets. No problem, this works:

tshark -r capture.pcap -T fields -e ssl.handshake.extensions_server_name -2 -R ssl.handshake.extensions_server_name

In my capture, the following packets have that information 59,62,65,146,502,574,650,712.

However, I would like to see the real frame numbers associated with those. In Wireshark itself, I can just filter on:

ssl.handshake.extensions_server_name != ""

and it shows the absolute frame number. In tshark, if I specify a -e frame.number it displays 1-8 for the frame number. Is there a way to see the Wireshark-like output of the original frame number?

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2018-07-16 21:49:41 +0000

cmaynard gravatar image

In a nutshell, use a display filter (-Y) instead of a read filter (-R), e.g.:

tshark -r capture.pcap -T fields -e frame.number -e ssl.handshake.extensions_server_name -2 -Y ssl.handshake.extensions_server_name

Refer to the tshark man page for more details.

edit flag offensive delete link more

Comments

1

Makes total sense. The read filter (-R) affects the file as it's "coming in" whereas the display filter affects the output only. Beautiful.

theglossy1 gravatar imagetheglossy1 ( 2018-07-16 21:58:13 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2018-07-16 21:40:34 +0000

Seen: 5,549 times

Last updated: Jul 16 '18