Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

How to specify that tshark shows packets' protocol at transport layer not application layer?


I want to make decision on packet based on their transport layer protocol (Whether it is TCP or UDP). Now I do it by checking whether the tcp.srcport is set or not. How can I change the protocols layer shown in _ws.col.Protocol to transport layer instead of application layer in the output of the following command?

tshark -r  capture.pcap  -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e frame.len -e _ws.col.Protocol -E header=y -E quote=d -E occurrence=f > capture.csv

According to tshark manpage, It seems that -j or -J option do something similar to what I needed, but I couldn't find such example.