OSQA is unmaintained. Help us figure out where to go from here.

I am trying to analyze Wireshark TCP capture in Excel. I'd like to have some TCP info like TSval, TSecr, SACK edges in separate columns but it seems that since these values are stored in TCP options rather than in dedicated TCP header fields Wireshark does not create such custom columns.

I can see these values in the info column but they are shown only for client ACK packets. For server packets the info columns always shows [TCP segment of a reassembled PDU] and I need to see them in both direction. Any ideas how these values can be listed for every packet?


asked 30 Nov '10, 06:31

jackhab's gravatar image

accept rate: 0%

You can use custom columns with the following fields:

  • tcp.options.timestamp.tsval
  • tcp.options.timestamp.tsecr
  • tcp.options.sack_le
  • tcp.options.sack_re

Or use tshark like this:

tshark -r <file> -R tcp -T fields \
     -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport \
     -e tcp.options.timestamp.tsval -e tcp.options.timestamp.tsecr \
     -e tcp.options.sack_le -e tcp.options.sack_re

Hope this helps!

(See also: http://www.wireshark.org/docs/dfref/t/tcp.html)

permanent link

answered 30 Nov '10, 07:07

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

edited 30 Nov '10, 07:26

I could not find tcp.options.timestamp.tsval and tcp.options.timestamp.tsecr neither in custom columns options nor in the documentation under the provided link.

(07 Feb '11, 06:40) jackhab

Which version of wireshark are you using? I think they were added in 1.4.0, but it could also be that they are only available in the 1.5.0 development release.

(07 Feb '11, 07:31) SYN-bit ♦♦

For analyzing TCP SACK Edges i used a simple trick which - although not perfectly effective - did the job in pulling out the desired info:

Use Export -> .csv to throw trace file data into excel readable .csv and import that Data into Excel. Then you have trace file date including coloumns as specified in wireshark.

The trick for pulling out SACK info for me was to use the "text to coloumns" button in Excel, which normally seperates comma-seperated stuff from inside one coloumn into many.

I marked the "Info" coloumn in Excel and replaced "SRE" to "$RE" and "SLE" to "$SLE". After that you can use "text to coloumns" and give it a user-defined seperator "$", which will perfectly pull out those Info lines containing SACK related edges and place it into new coloums to the right, each still labeled with it's RE or LE after stripping "$"

Hope that helps

permanent link

answered 10 Feb '11, 04:30

Landi's gravatar image

accept rate: 28%

Dogan lol stop scamming people's account on the cafe by using wireshark

permanent link

answered 10 Apr '11, 16:37

alvnfer's gravatar image

accept rate: 0%

edited 10 Apr '11, 16:38


Hi, im usong wireshark to pinpoint a ragnarok servers ports and ip, when i enter for filter eth contains "username" it doesnt show up, i am following this guide btw. http://wiki.openkore.com/index.php/Connectivity_Guide thank you. ps: windows 7

permanent link

answered 05 Apr '11, 07:57

Do%C4%9Fan%20Erdo%C4%9Fan's gravatar image

Doğan Erdoğan
accept rate: 0%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Nov '10, 06:31

question was seen: 9,783 times

last updated: 10 Apr '11, 16:38

p​o​w​e​r​e​d by O​S​Q​A