First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

What would cause tshark's ip.len to show some results with commas?

  • retag add tags

Is there a reason why some results have commas from tshark's ip.len? I'm using "tshark -nr file.pcap -T fields -e ip.len" for the command.

Some examples:

92,64

91,63

112,95

5,761,612

112,133

The examples above represent only 3% of the total results where a comma could be expected (4 digits or more), the other 97% do not have commas.

Seeing that's the case, I would not expect to see any commas, hence my question as to why some results have commas.

proto_analyzer's avatar
1
proto_analyzer
asked 2022-10-10 03:12:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

For any given capture in which you see this:

  1. How many packets have a comma in ip.len?
  2. How many packets have more than one IP header because the IP payload itself contains a full IP packet?
Guy Harris's avatar Guy Harris (2022-10-10 05:59:37 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The most probable cause would be that those packets have multiple IP layers (like an ICMP destination unreachable packet had part of the original packet as ICMP payload). Can you try tshark -nr file.pcap -T fields -e ip.proto -e ip.src -e ip.dst -e ip.len to get a little more info on those packets?

SYN-bit's avatar
18.5k
SYN-bit
answered 2022-10-11 12:23:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer