First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to print out the TCP and IP Headers for one of the filtered messages?

So i'm looking to print out just the TCP and IP headers of one of my captures messages? How do I do this?

ScubaSteve's avatar
1
ScubaSteve
asked 2020-12-13 20:32:46 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

Are you open to using tshark ?
Protocols that are not ip or tcp (like Frame and Ethernet below) will display a summary line.
Adding the -Y "ip or tcp" to the end only prints information for frames that contain ip or tcp.
This then excludes protocols like IPv6 and ARP. 

$ tshark -r ./ultpcap2.pcapng -O ip,tcp -Y "ip or tcp"

Frame 1: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{F82D62D9-30A1-4A71-8A8B-
6CEE19B19DDB}, id 6
Ethernet II, Src: 00:0c:29:9d:c9:d6, Dst: 00:19:e2:a1:f9:86
Internet Protocol Version 4, Src: 192.168.110.10, Dst: 80.237.133.136
    0100 .... = Version: 4
    .... 0101 = Header Length: 20 bytes (5)
    Differentiated Services Field: 0x00 (DSCP: CS0, ECN: Not-ECT)
        0000 00.. = Differentiated Services Codepoint: Default (0)
        .... ..00 = Explicit Congestion Notification: Not ECN-Capable Transport (0)
    Total Length: 52
    Identification: 0x104d (4173)
    Flags: 0x40, Don't fragment
        0... .... = Reserved bit: Not set
        .1.. .... = Don't fragment: Set
        ..0. .... = More fragments: Not set
    Fragment Offset: 0
    Time to Live: 128
    Protocol: TCP (6)
    Header Checksum: 0x0000 [validation disabled]
    [Header checksum status: Unverified]
    Source Address: 192.168.110.10
    Destination Address: 80.237.133.136
Transmission Control Protocol, Src Port: 1152, Dst Port: 80, Seq: 0, Len: 0
    Source Port: 1152
    Destination Port: 80
    [Stream index: 0]
    [TCP Segment Len: 0]
    Sequence Number: 0    (relative sequence number)
    Sequence Number (raw): 3184959687
    [Next Sequence Number: 1    (relative sequence number)]
<snip>
Chuckc's avatar
3k
Chuckc
answered 2020-12-13 21:35:23 +0000
edit flag offensive 0 remove flag delete link
more

Comments

""for one of the filtered messages" - for only one frame, filter on frame.number

$ tshark -r ./ultpcap2.pcapng  -O ip,tcp -Y frame.number==20

Frame 20: 66 bytes on wire (528 bits), 66 bytes captured (528 bits) on interface \Device\NPF_{F82D62D9-30A1-4A71-8A8B
-6CEE19B19DDB}, id 6
Ethernet II, Src: 00:0c:29:9d:c9:d6, Dst: 00:19:e2:a1:f9:86
Internet Protocol Version 4, Src: 192.168.110.10, Dst: 212.144.254.123
    0100 .... = Version: 4
<snip>
Chuckc's avatar Chuckc (2020-12-13 21:49:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer