I'm trying to parse the output of tshark when reading in a pcap file.
I can do this just fine in some pcaps, but if a pcap has some suspected out of order frames, then the payload is not dumped once the tcp analysis detects a problem.
This is solved in wirshark by disabling "Analyze TCP sequence numbers" in the TCP preferences. How do I do the same for tshark when reading a pcap file?
You can use the -o command line argument in tshark to change preference settings. So in this case the following command will do the trick:
tshark -o tcp.analyze_sequence_numbers:FALSE -r file.pcapng
If you want to get all the preference names, you can use tshark -G currentprefs.
I often use egrep to extract settings for just one protocol, like this:
$ tshark -G currentprefs | egrep "^#?tcp."
#tcp.summary_in_tree: TRUE
#tcp.check_checksum: FALSE
#tcp.desegment_tcp_streams: TRUE
#tcp.reassemble_out_of_order: FALSE
#tcp.analyze_sequence_numbers: TRUE
#tcp.relative_sequence_numbers: TRUE
#tcp.default_window_scaling: Not known
#tcp.track_bytes_in_flight: TRUE
#tcp.calculate_timestamps: TRUE
#tcp.try_heuristic_first: FALSE
#tcp.ignore_tcp_timestamps: FALSE
#tcp.no_subdissector_on_error: TRUE
#tcp.dissect_experimental_options_with_magic: TRUE
#tcp.display_process_info_from_ipfix: FALSE
#tcpros.desegment_tcpros_messages: TRUE
$
Thank you very much! This works perfectly!
Comments