How do I set a capture filter in tshark so that only packets with len > 0 would be registered? I tried using greater and less commands but it didn't work.
asked 06 May '13, 12:00
From your comment on @joemc's answer it turns out you mean the length of the TCP payload. In a display filter this is available as "tcp.len==0", so if you don't want to see TCP frames with no payload, then you can use "tcp.len>0"
But you are looking for a capture filter, this is a little more complicated. This is because there is no field in the TCP header for the payload length. There is only a field for the length of the TCP header. However, in the IP header, there is a field "total length", which includes the length of the IP header and the IP payload (which is off course the sum of TCP header length and TCP payload length).
In short "IP total length = IP header length + TCP header length + TCP payload length" which results in:
Now we need to create capture filters for each part:
Resulting in a capture filter of:
answered 06 May '13, 15:02
What length are you talking about? You can't have a 0 length frame. You can use tshark -R "frame.len > 256" to target specific frames, greater than 256 in this example. But "frame.len > 0" is the same as capturing everything. Are you talking about a different protocol layer?
answered 06 May '13, 13:16