Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

tshark: How do I display the absolute frame number?

Greetings. I want to get a list of all the SNI server_names from the https client hello packets. No problem, this works:

tshark -r capture.pcap -T fields -e ssl.handshake.extensions_server_name -2 -R ssl.handshake.extensions_server_name

In my capture, I the following packets have that information 59,62,65,146,502,574,650,712.

However, I would like to see the real frame numbers associated with those. In Wireshark itself, I can just filter on:

ssl.handshake.extensions_server_name != ""

and it shows the absolute frame number. In tshark, if I specify a -e frame.number it displays 1-8 for the frame number. Is there a way to see the Wireshark-like output of the original frame number?

tshark: How do I display the absolute frame number?

Greetings. I want to get a list of all the SNI server_names from the https client hello packets. No problem, this works:

tshark -r capture.pcap -T fields -e ssl.handshake.extensions_server_name -2 -R ssl.handshake.extensions_server_name

In my capture, I the following packets have that information 59,62,65,146,502,574,650,712.

However, I would like to see the real frame numbers associated with those. In Wireshark itself, I can just filter on:

ssl.handshake.extensions_server_name != ""

and it shows the absolute frame number. In tshark, if I specify a -e frame.number it displays 1-8 for the frame number. Is there a way to see the Wireshark-like output of the original frame number?