This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark capture filter for len parameter

0

How do I set a capture filter in tshark so that only packets with len > 0 would be registered? I tried using greater and less commands but it didn't work.

asked 06 May '13, 12:00

Loco1989's gravatar image

Loco1989
16114
accept rate: 0%


2 Answers:

1

From your comment on @joemc's answer it turns out you mean the length of the TCP payload. In a display filter this is available as "tcp.len==0", so if you don't want to see TCP frames with no payload, then you can use "tcp.len>0"

But you are looking for a capture filter, this is a little more complicated. This is because there is no field in the TCP header for the payload length. There is only a field for the length of the TCP header. However, in the IP header, there is a field "total length", which includes the length of the IP header and the IP payload (which is off course the sum of TCP header length and TCP payload length).

In short "IP total length = IP header length + TCP header length + TCP payload length" which results in:

TCP payload length = IP total length - IP header length - TCP header length

Now we need to create capture filters for each part:

IP total length ==> ip[2:2]
IP header length ==> (ip[0]&0x0f) << 2
TCP header length ==> (tcp[12]&0xf0) >> 2

Resulting in a capture filter of:

ip[2:2] - ((ip[0]&0x0f) << 2) - ((tcp[12]&0xf0) >> 2) > 0

answered 06 May '13, 15:02

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thank you very much, it works exactly like it should! I would never come up with it myself... I'm not familiar with these commands for getting particular lengths but after your explanation at least I know in general what's going on and why. You helped me a lot, thanks again :)

(06 May '13, 15:53) Loco1989

0

What length are you talking about? You can't have a 0 length frame. You can use tshark -R "frame.len > 256" to target specific frames, greater than 256 in this example. But "frame.len > 0" is the same as capturing everything. Are you talking about a different protocol layer?

answered 06 May '13, 13:16

joemc's gravatar image

joemc
21225
accept rate: 0%

I'm not really sure myself, sorry I'm such a beginner here... Well, when I use the regular Wireshark GUI there is that column called 'Info', and there are displayed some kind of parameters like Seq, Ack, Win, Len. Some of the captured packets are described with Len = 0. I want to filter out these packets.

(06 May '13, 13:54) Loco1989