This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

getting more info on TCP packets

0

I am trying to analyze Wireshark TCP capture in Excel. I'd like to have some TCP info like TSval, TSecr, SACK edges in separate columns but it seems that since these values are stored in TCP options rather than in dedicated TCP header fields Wireshark does not create such custom columns.

I can see these values in the info column but they are shown only for client ACK packets. For server packets the info columns always shows [TCP segment of a reassembled PDU] and I need to see them in both direction. Any ideas how these values can be listed for every packet?

Thanks.

asked 30 Nov '10, 06:31

jackhab's gravatar image

jackhab
1111
accept rate: 0%


4 Answers:

2

You can use custom columns with the following fields:

  • tcp.options.timestamp.tsval
  • tcp.options.timestamp.tsecr
  • tcp.options.sack_le
  • tcp.options.sack_re

Or use tshark like this:

tshark -r <file> -R tcp -T fields \
     -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport \
     -e tcp.options.timestamp.tsval -e tcp.options.timestamp.tsecr \
     -e tcp.options.sack_le -e tcp.options.sack_re

Hope this helps!

(See also: http://www.wireshark.org/docs/dfref/t/tcp.html)

answered 30 Nov '10, 07:07

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 30 Nov '10, 07:26

I could not find tcp.options.timestamp.tsval and tcp.options.timestamp.tsecr neither in custom columns options nor in the documentation under the provided link.

(07 Feb '11, 06:40) jackhab

Which version of wireshark are you using? I think they were added in 1.4.0, but it could also be that they are only available in the 1.5.0 development release.

(07 Feb '11, 07:31) SYN-bit ♦♦

1

For analyzing TCP SACK Edges i used a simple trick which - although not perfectly effective - did the job in pulling out the desired info:

Use Export -> .csv to throw trace file data into excel readable .csv and import that Data into Excel. Then you have trace file date including coloumns as specified in wireshark.

The trick for pulling out SACK info for me was to use the "text to coloumns" button in Excel, which normally seperates comma-seperated stuff from inside one coloumn into many.

I marked the "Info" coloumn in Excel and replaced "SRE" to "$RE" and "SLE" to "$SLE". After that you can use "text to coloumns" and give it a user-defined seperator "$", which will perfectly pull out those Info lines containing SACK related edges and place it into new coloums to the right, each still labeled with it's RE or LE after stripping "$"

Hope that helps

answered 10 Feb '11, 04:30

Landi's gravatar image

Landi
2.3k51442
accept rate: 28%

0

Dogan lol stop scamming people's account on the cafe by using wireshark

answered 10 Apr '11, 16:37

alvnfer's gravatar image

alvnfer
1112
accept rate: 0%

edited 10 Apr '11, 16:38

-1

Hi, im usong wireshark to pinpoint a ragnarok servers ports and ip, when i enter for filter eth contains "username" it doesnt show up, i am following this guide btw. http://wiki.openkore.com/index.php/Connectivity_Guide thank you. ps: windows 7

answered 05 Apr '11, 07:57

Do%C4%9Fan%20Erdo%C4%9Fan's gravatar image

Doğan Erdoğan
0
accept rate: 0%