if i open any pcap in wireshark, it will have several columns to display the information like src/dest ip & port no's, prot, info etc for each packet. i want one more column to be added which displays the data length field. i searched for this field but rather i could only find "packet length" field which shows the length of packet including the headers but i want only the payload length. is there any way to do that ?? OR is there any way to plot the graph with packet no on the x axis and payload length on the y axis ? asked 03 Jul '12, 23:32  viks edited 03 Jul '12, 23:38 |
One Answer:
You can add a new column like this:
Choose the Field Type to be Click Apply and Save. BTW: You can change the position of the column with drag-n-drop. Regards answered 04 Jul '12, 01:55  Kurt Knochner ♦ |
@kurt : thanks a lot. one more thing...is there any way to export only the payload bytes (rather than export in c arrays form which has headers also) or to plot the payload bytes vs packet number ?
you can do that with tshark.
payload bytes
payload length
tcp.len is the payload length for TCP. For a list of other fields, run this command:
@kurt : thanks for the info. when i Choose the Field Type to be Custom and the Field name data.len it doesn't work. Any idea ?
the fields
data.*will be only set if the dissector for a protcol is disabled (Analyze -> Enabled Protocols) or if there is no dissector for a protocol. Example: If you disable the protocol 'HTTP' and thendata.lenwill work. You better usetcp.lenorudp.length