Ask Your Question
0

filtering out protocol, sequence number, and ack using tshark

asked 2017-11-23 16:51:13 +0000

Zahra gravatar image

How can I filter out the protocol, sequence number, and ack using tshark? I could filter out other options as follow:

tshark -r traffic.pcap -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport  -e frame.len -e tcp.flags  -e _ws.col.Info -E header=y -E quote=d -E occurrence=f
edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
1

answered 2017-11-23 17:47:21 +0000

grahamb gravatar image

Use the "-e" options listed below:

  • protocol, -e _ws.col.Protocol
  • sequence number, assuming you mean tcp sequence number, -e tcp.seq
  • ack, for ack number use -e tcp.ack, for ack flag use -e tcp.flags.ack

In general to find the filter name select the item in the packet details pane and look at the name in parenthesis in the status bar at the bottom. Any column can be used by prefixing the name with "_ws.col.".

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-23 16:51:13 +0000

Seen: 41 times

Last updated: Nov 23