This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

TCP eth or IP protocols are not in frame

0

Hi, I'm trying to capture some http traffic from a machine's local interface. So I run a command as such

tshark -i 1 -R data -V -l

The frames I get are like this

Frame 18: 531 bytes on wire (4248 bits), 531 bytes captured (4248 bits)
    Arrival Time: May 21, 2012 15:15:13.311786000 Eastern Daylight Time
    Epoch Time: 1337627713.311786000 seconds
    [Time delta from previous captured frame: 0.009366000 seconds]
    [Time delta from previous displayed frame: 0.009366000 seconds]
    [Time since reference or first frame: 19.356632000 seconds]
    Frame Number: 18
    Frame Length: 531 bytes (4248 bits)
    Capture Length: 531 bytes (4248 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: data]

As you can see the eth:ip:tcp information is not in frame. Does anyone know why? This is a VMware machine sniffing on the local interface. Could the fact that it's VMware be the problem? We've never seen this before even on VM machines.

Thanks,
Al

asked 21 May '12, 12:54

aaghili's gravatar image

aaghili
16336
accept rate: 0%

edited 21 May '12, 14:55

helloworld's gravatar image

helloworld
3.1k42041

it works on my systems (tshark 1.6.7). What is your version?

tshark -v

(21 May '12, 13:24) Kurt Knochner ♦

Sure here is the -v info. I've also included the interface -D option and also the machine info. Thanks in advance.

C:\Program Files\Wireshark>tshark -v
TShark 1.6.7 (SVN Rev 41973 from /trunk-1.6)

Copyright 1998-2012 Gerald Combs <[email protected]wireshark.org> and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Compiled (64-bit) with GLib 2.26.1, with WinPcap (version unknown), with libz without Kerberos, with GeoIP. Running on 64-bit Windows Server 2008 Service Pack 2, build 6002,

(21 May ‘12, 14:45) aaghili
C:\Program Files\Wireshark>tshark -D

  1. \Device\NPF_{FABA2F2D-B86F-4923-9198-581F20F659A1} (VMware vmxnet3 virtual network device)
  2. \Device\NPF_{3CC06A28-A9F7-4B31-8242-6F4D53CBF6FF} (MS Tunnel Interface Driver)
(21 May ‘12, 14:46) aaghili

could be a problem with windows 2008. The same version (1.6.7) works as expected on my Windows XP test system. What happens if you run this command:

tshark -i 1 -V -l

(21 May ‘12, 23:52) Kurt Knochner ♦

This works for me as well. It also works with -T Fields option. But when I use -R data I don’t see the TCP/IP ETH headers in the frame. I can get around this issue by using the other options but its strange that -R data option is not working correctly.

(24 May ‘12, 06:58) aaghili