Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2020-05-15 06:58:24 +0000

gilnaa gravatar image

Disabling all protocols above TCP in tshark

Hey,

I'm using tshark to analyze some TCP that has no specified protocol, and am using the following filters:

not _ws.malformed and tcp and not tcp.analysis.retransmission and not tcp.analysis.fast_retransmission

I saw that some packets are missing from the stream, and after some investigation, I found out that *shark thinks that this packet (or stream) is IRC for some reason, and that the missing packets are malformed.

I know for certain that this stream does not contain IRC (it is the output of hexdump piped into nc)

How can I tell tshark to not decode any protocol above TCP?

Disabling all protocols above TCP in tshark

Hey,

I'm using tshark to analyze some TCP that has no specified protocol, and am using the following filters:

not _ws.malformed and tcp and not tcp.analysis.retransmission and not tcp.analysis.fast_retransmission

I saw that some packets are missing from the stream, and after some investigation, I found out that *shark thinks that this packet (or stream) is IRC for some reason, and that the missing packets are malformed.

I know for certain that this stream does not contain IRC (it is the output of hexdump piped into nc)

How can I tell tshark to not decode any protocol above TCP?TCP? Alternatively, is there another way to check for malformed packets, but with regards to TCP or lower layers only?

Disabling all protocols above TCP in tshark

Hey,

I'm using tshark to analyze some TCP that has no specified protocol, and am using the following filters:

not _ws.malformed and tcp and not tcp.analysis.retransmission and not tcp.analysis.fast_retransmission

I saw that some packets are missing from the stream, and after some investigation, I found out that *shark thinks that this packet (or stream) is IRC for some reason, reason (EDIT: It is because of the port number), and that the missing packets are malformed.

I know for certain that this stream does not contain IRC (it is the output of hexdump piped into nc)

How can I tell tshark to not decode any protocol above TCP? Alternatively, is there another way to check for malformed packets, but with regards to TCP or lower layers only?

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2