Wireshark mailing list archives
question about tshark output
From: Martin Sehnoutka <msehnout () redhat com>
Date: Wed, 3 Aug 2016 11:14:42 +0200
Hi, I have a question about tshark output. Let's say, that I have capture like this: $ tshark -r test.pcap | head --lines 5 1 0.000000 7.56.29.59 → 7.39.4.46 TCP 74 53996→80 [SYN] Seq=0 Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2800540155 TSecr=0 WS=1024 2 0.000260 7.39.4.46 → 7.56.29.59 TCP 74 80→53996 [SYN, ACK] Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=3196888027 TSecr=2800540155 WS=1024 3 0.000307 7.56.29.59 → 7.39.4.46 TCP 66 53996→80 [ACK] Seq=1 Ack=1 Win=29696 Len=0 TSval=2800540156 TSecr=3196888027 4 0.000431 7.56.29.59 → 7.39.4.46 TCP 205 53996→80 [PSH, ACK] Seq=1 Ack=1 Win=29696 Len=139 TSval=2800540156 TSecr=3196888027 5 0.000712 7.39.4.46 → 7.56.29.59 TCP 66 80→53996 [ACK] Seq=1 Ack=140 Win=16384 Len=0 TSval=3196888027 TSecr=2800540156 and I'd like to filter it with this set up: $ tshark -r test.pcap -Tfields -e tcp.len -e frame.len -e data.len -E separator=, | head --lines=5 0,74, 0,74, 0,66, 139,205,139 0,66, Now, tcp.len is displayed as 0, but data.len is empty. Is it by design? Does it mean "not applicable"? Best regards, -- Martin Sehnoutka Associate Software Engineer Brno, Purkyňova 99 RED HAT | TRIED. TESTED. TRUSTED. ___________________________________________________________________________ Sent via: Wireshark-dev mailing list <wireshark-dev () wireshark org> Archives: https://www.wireshark.org/lists/wireshark-dev Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev mailto:wireshark-dev-request () wireshark org?subject=unsubscribe
Current thread:
- question about tshark output Martin Sehnoutka (Aug 03)
- Re: question about tshark output Jaap Keuter (Aug 03)