First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

tshark: How do I display the absolute frame number?

Greetings. I want to get a list of all the SNI server_names from the https client hello packets. No problem, this works:

tshark -r capture.pcap -T fields -e ssl.handshake.extensions_server_name -2 -R ssl.handshake.extensions_server_name

In my capture, the following packets have that information 59,62,65,146,502,574,650,712.

However, I would like to see the real frame numbers associated with those. In Wireshark itself, I can just filter on:

ssl.handshake.extensions_server_name != ""

and it shows the absolute frame number. In tshark, if I specify a -e frame.number it displays 1-8 for the frame number. Is there a way to see the Wireshark-like output of the original frame number?

theglossy1's avatar
3
theglossy1
asked 2018-07-16 21:40:34 +0000, updated 2018-07-16 21:41:15 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

1

In a nutshell, use a display filter (-Y) instead of a read filter (-R), e.g.:

tshark -r capture.pcap -T fields -e frame.number -e ssl.handshake.extensions_server_name -2 -Y ssl.handshake.extensions_server_name

Refer to the tshark man page for more details.

cmaynard's avatar
11.1k
cmaynard
answered 2018-07-16 21:49:41 +0000
edit flag offensive 0 remove flag delete link
more

Comments

1

Makes total sense. The read filter (-R) affects the file as it's "coming in" whereas the display filter affects the output only. Beautiful.

theglossy1's avatar theglossy1 (2018-07-16 21:58:13 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer