Different results in Wireshark and Tshark for the same PCAP file

  • retag add tags

Hello. I am running Wireshark and Tshark (both of version 2.6.10) on Ubuntu (18.04.4). I loaded the same PCAP file on both of them, and applied the same display filter on both. However, the number of displayed packets is different. What could be the reason?

Thank you.

XX's avatar
1
XX
asked 2020-02-27 04:28:20 +0000
edit flag offensive 0 remove flag close merge delete

Comments

What happens if you:

  • run TShark with -R and the filter;
  • run TShark with -Y and the filter (and without -R);
  • run TShark with -2, and -Y and the filter (again, without -R)?
Guy Harris's avatar Guy Harris (2020-02-27 04:51:45 +0000) edit
more
  • delete
  1. run TShark with -R and the filter; It showed "-R without -2 is deprecated". So I tried -R with -2. Same issue
  2. run TShark with -Y and the filter (and without -R); That is actually what I am using. Same issue
  3. run TShark with -2, and -Y and the filter (again, without -R)? Still same issue
XX's avatar XX (2020-02-27 06:21:20 +0000) edit
more
  • delete

Are you using the Default profile in Wireshark when working with the PCAP file?

Tshark uses the Default profile if the -C <config profile=""> option is NOT used. Wireshark uses the last last used profile if the -C <config profile=""> option is NOT used.

Jim Young's avatar Jim Young (2020-03-07 21:08:16 +0000) edit
more
  • delete
add a comment see more comments