Ask Your Question

Revision history [back]

tshark conversation output lopsided

I am entering: tshark -r file.pcap -q -z conv,udp. Regardless of how long I let the file run, as an example...if bytes sent are 100, the response bytes are 0; if the bytes sent are 0, the response bytes are 100. Completely counter-intuitive to what the command is supposed to do. I could understand if the response is 0 when 100 bytes are sent - perhaps because the destination port is closed, or for any other reason - but when the response bytes are 100 without any bytes having been sent, then I'm lost. Can someone please test the command and let me know what you get.