First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to specify that tshark shows packets' protocol at transport layer not application layer?

Hi,

I want to make decision on packet based on their transport layer protocol (Whether it is TCP or UDP). Now I do it by checking whether the tcp.srcport is set or not. How can I change the protocols layer shown in _ws.col.Protocol to transport layer instead of application layer in the output of the following command?

tshark -r  capture.pcap  -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e frame.len -e _ws.col.Protocol -E header=y -E quote=d -E occurrence=f > capture.csv

According to tshark manpage, It seems that -j or -J option do something similar to what I needed, but I couldn't find such example.

Zahra's avatar
5
Zahra
asked 2019-10-03 13:40:51 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

Can you do it with the ip.proto field?

Or disable the dissectors for the application layers: (ignore ref to data.data for your use) https://ask.wireshark.org/question/11...

Brute force might be to have a profile with all protocols disabled except ethernet, ipv4, ipv6?, tcp and udp. Use "-C" to specify the profile to load and print the data.data field.

tshark -r .\http-riverbed-one.pcapng -C data_data -e "data.data" -Tfields -Y data.data > tmp.fil

Chuckc's avatar
3k
Chuckc
answered 2019-10-03 14:23:16 +0000, updated 2019-10-03 14:31:09 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks, ip.proto works in my case.

Zahra's avatar Zahra (2019-10-03 14:35:53 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer