filtering out protocol, sequence number, and ack using tshark

retag add tags

How can I filter out the protocol, sequence number, and ack using tshark? I could filter out other options as follow:

tshark -r traffic.pcap -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport  -e frame.len -e tcp.flags  -e _ws.col.Info -E header=y -E quote=d -E occurrence=f

Use the "-e" options listed below:

protocol, -e _ws.col.Protocol
sequence number, assuming you mean tcp sequence number, -e tcp.seq
ack, for ack number use -e tcp.ack, for ack flag use -e tcp.flags.ack

In general to find the filter name select the item in the packet details pane and look at the name in parenthesis in the status bar at the bottom. Any column can be used by prefixing the name with "_ws.col.".

23.8k

grahamb

answered 2017-11-23 17:47:21 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

filtering out protocol, sequence number, and ack using tshark edit

Comments

1 Answer

Comments