Ask Your Question
0

Wireshark displays incorrect frame numbers for filtered data in second pass Analysis..

asked 2018-09-06 19:38:22 +0000

this post is marked as community wiki

This post is a wiki. Anyone with karma >750 is welcome to improve it.

I am using the Wireshark 2.0.3 .While using tshark it is seen that frame numbers for unfiltered data and filtered data for the same packets are appearing different. The command that I am giving is as follows: tshark -r test.pcap

which will produce unfiltered data from the capture file

and

tshark -r test.pcap -R "...some criteria..." -2

which will give filtered data. On comparing the frame numbers it is seen that frame numbers for the same packets (with same time stamp,ttl ,seq num etc)are different. This happens only on second pass analysis. If I do a Single pass analysis

tshark -r test.pcap -Y "...some criteria..."

frame numbers are consistent.

Is it supposed to work this way? Or is it a Bug ?

Thanks and Best Regards, Akshay

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2018-09-06 20:41:30 +0000

cmaynard gravatar image

It is supposed to work this way.

-Y is used to specify a display filter, so while all packets are read from the capture file, only the packets matching the specified display filter criteria are displayed. This means all frame numbers shown are the original frame number from the file.

Contrast this with -R, which specifies a read filter. This means that only those packets matching the specified read filter criteria are read from the file. As such, the frame number are renumbered because non-matching packets are essentially treated as if they weren't part of the capture file to begin with.

Read more about display filters vs. read filters on the tshark man page.

edit flag offensive delete link more

Comments

Thanks Christopher ..

I have noticed that in the older Wireshark versions there was only -R option(no -Y or -2 option). Does that mean the older -R option corresponds to the current -Y option.? In other words...in the older version If I give tshark -r test.pcap -R "...some criteria..." and in the newer version if I give tshark -r test.pcap -Y "...some criteria..." Will both these commands produce same frame numbers for a particular capture file(test.pcap)?(both wireshark versions are installed on my system)

Akshay gravatar imageAkshay ( 2018-09-06 21:33:52 +0000 )edit

I don't recall the specifics, but you can visit https://ask.wireshark.org/questions/5... or https://stackoverflow.com/questions/4... and review the history about these options from the links I provided there.

cmaynard gravatar imagecmaynard ( 2018-09-07 15:09:00 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2018-09-06 19:38:22 +0000

Seen: 822 times

Last updated: Sep 06 '18