Revision history [back]

Revision 2

updated 2020-12-06 19:23:16 +0000

That's part of the Expert Info fields. (Man page here)

$ tshark -r ./ultpcap2.pcapng -T fields -e _ws.expert.message -Y _ws.expert.message
Connection establish request (SYN): server port 80
Connection establish acknowledge (SYN+ACK): server port 80
GET / HTTP/1.1\r\n
HTTP/1.1 200 OK\r\n
Connection finish (FIN)
<snip>

Filter on the field name (-Y _ws.expert.message) to not print blank lines for frames that's don't contain Expert Info.

Or filter on contents of the Expert Info message:

$ tshark -r ./ultpcap2.pcapng -T fields -e frame.number -e _ws.expert.message -Y "_ws.expert.message contains \"RST\""
4440    Connection reset (RST)
4441    Connection reset (RST)
4442    Connection reset (RST)
4443    Connection reset (RST)

Revision 1

Chuckc

answered 2020-12-06 19:18:35 +0000

That's part of the Expert Info ~~fields. (Man page here)~~fields.

$ tshark -r ./ultpcap2.pcapng -T fields -e _ws.expert.message -Y _ws.expert.message
Connection establish request (SYN): server port 80
Connection establish acknowledge (SYN+ACK): server port 80
GET / HTTP/1.1\r\n
HTTP/1.1 200 OK\r\n
Connection finish (FIN)
<snip>

Filter on the field name (-Y _ws.expert.message) to not print blank lines for frames that's don't contain Expert Info.

~~Or filter on contents of the Expert Info message:~~

$ tshark -r ./ultpcap2.pcapng -T fields -e frame.number -e _ws.expert.message -Y "_ws.expert.message contains \"RST\"" 4440 Connection reset (RST) 4441 Connection reset (RST) 4442 Connection reset (RST) 4443 Connection reset (RST)