Ask Your Question

tshark - How can I specify a tab as the -E aggregator character? /s becomes a space, but /t becomes a forward slash, a keyboard tab generates a syntax error.

asked 2019-03-15 16:25:01 +0000

SJZK gravatar image

I have two capture files of the same traffic between a pair of Windows servers. One capture file is from Wireshark running on one of the Windows virtual hosts. The other capture file is from a SPAN port on a switch close to the other Windows system. The capture covers a roughly 24 hour period. The purpose of the captures was to isolate where our connection failures were happening.

I extracted the SYN packets from both capture files and compared their packet timestamps, matching on source and destination ports and the packet sequence number (actual, not relative). The delta time for the same packet starts out at 80 milliseconds. After an hour or so the delta becomes 7.6 seconds and stays that way for 23 hours. Then within the next hour the delta time for the same packet jumps to 2 minutes, then 10 minutes, then 30 minutes.

We suspect the Wireshark time stamps are incorrect, because it is the only movable object in this scenario - it moves when the virtual server moves. But even so, I can't explain away a 30 minute difference for the same packet. And I was told all servers in the data center are time sync'd to the same NTP server.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2019-03-15 16:47:56 +0000

grahamb gravatar image

The aggregator option doesn't support the use of a tab.

To request a change to allow it to do so, please raise an entry at the Wireshark Bugzilla, checking for an existing issue first.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-03-15 16:25:01 +0000

Seen: 99 times

Last updated: Mar 15