This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi, I'm trying to capture some http traffic from a machine's local interface. So I run a command as such

tshark -i 1 -R data -V -l

The frames I get are like this

Frame 18: 531 bytes on wire (4248 bits), 531 bytes captured (4248 bits)
    Arrival Time: May 21, 2012 15:15:13.311786000 Eastern Daylight Time
    Epoch Time: 1337627713.311786000 seconds
    [Time delta from previous captured frame: 0.009366000 seconds]
    [Time delta from previous displayed frame: 0.009366000 seconds]
    [Time since reference or first frame: 19.356632000 seconds]
    Frame Number: 18
    Frame Length: 531 bytes (4248 bits)
    Capture Length: 531 bytes (4248 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: data]

As you can see the eth:ip:tcp information is not in frame. Does anyone know why? This is a VMware machine sniffing on the local interface. Could the fact that it's VMware be the problem? We've never seen this before even on VM machines.

Thanks,
Al

asked 21 May '12, 12:54

aaghili's gravatar image

aaghili
16336
accept rate: 0%

edited 21 May '12, 14:55

helloworld's gravatar image

helloworld
3.1k42041

it works on my systems (tshark 1.6.7). What is your version?

tshark -v

(21 May '12, 13:24) Kurt Knochner ♦

Sure here is the -v info. I've also included the interface -D option and also the machine info. Thanks in advance.

C:\Program Files\Wireshark>tshark -v
TShark 1.6.7 (SVN Rev 41973 from /trunk-1.6)

Copyright 1998-2012 Gerald Combs <[email protected]wireshark.org> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.26.1, with WinPcap (version unknown), with libz
without Kerberos, with GeoIP.
Running on 64-bit Windows Server 2008 Service Pack 2, build 6002,
(21 May '12, 14:45) aaghili
C:\Program Files\Wireshark>tshark -D
1. \Device\NPF_{FABA2F2D-B86F-4923-9198-581F20F659A1} (VMware vmxnet3 virtual network device)
2. \Device\NPF_{3CC06A28-A9F7-4B31-8242-6F4D53CBF6FF} (MS Tunnel Interface Driver)
(21 May '12, 14:46) aaghili

could be a problem with windows 2008. The same version (1.6.7) works as expected on my Windows XP test system. What happens if you run this command:

tshark -i 1 -V -l

(21 May '12, 23:52) Kurt Knochner ♦

This works for me as well. It also works with -T Fields option. But when I use -R data I don't see the TCP/IP ETH headers in the frame. I can get around this issue by using the other options but its strange that -R data option is not working correctly.

(24 May '12, 06:58) aaghili
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×549
×53

question asked: 21 May '12, 12:54

question was seen: 3,069 times

last updated: 24 May '12, 06:58

p​o​w​e​r​e​d by O​S​Q​A