THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Wireshark displays incorrect frame numbers for filtered data in second pass Analysis..

  • retag add tags

I am using the Wireshark 2.0.3 .While using tshark it is seen that frame numbers for unfiltered data and filtered data for the same packets are appearing different. The command that I am giving is as follows: tshark -r test.pcap

which will produce unfiltered data from the capture file

and

tshark -r test.pcap -R "...some criteria..." -2

which will give filtered data. On comparing the frame numbers it is seen that frame numbers for the same packets (with same time stamp,ttl ,seq num etc)are different. This happens only on second pass analysis. If I do a Single pass analysis

tshark -r test.pcap -Y "...some criteria..."

frame numbers are consistent.

Is it supposed to work this way? Or is it a Bug ?

Thanks and Best Regards, Akshay

asked 2018-09-06 19:38:22 +0000
This post is a wiki. Anyone with karma >750 is welcome to improve it.
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

It is supposed to work this way.

-Y is used to specify a display filter, so while all packets are read from the capture file, only the packets matching the specified display filter criteria are displayed. This means all frame numbers shown are the original frame number from the file.

Contrast this with -R, which specifies a read filter. This means that only those packets matching the specified read filter criteria are read from the file. As such, the frame number are renumbered because non-matching packets are essentially treated as if they weren't part of the capture file to begin with.

Read more about display filters vs. read filters on the tshark man page.

cmaynard's avatar
11.1k
cmaynard
answered 2018-09-06 20:41:30 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thanks Christopher ..

I have noticed that in the older Wireshark versions there was only -R option(no -Y or -2 option). Does that mean the older -R option corresponds to the current -Y option.? In other words...in the older version If I give tshark -r test.pcap -R "...some criteria..." and in the newer version if I give tshark -r test.pcap -Y "...some criteria..." Will both these commands produce same frame numbers for a particular capture file(test.pcap)?(both wireshark versions are installed on my system)

Akshay's avatar Akshay (2018-09-06 21:33:52 +0000) edit
more
  • delete

I don't recall the specifics, but you can visit https://ask.wireshark.org/questions/5... or https://stackoverflow.com/questions/4... and review the history about these options from the links I provided there.

cmaynard's avatar cmaynard (2018-09-07 15:09:00 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer