Hi, I am running a wireshark capture on the LAN cape side i.e 192.168.0.x router side. I am looking for Router advertisement packets . I am running a display filter "icmpv6.type == 134". I want to read the 'M'(managed address configuration) bit, 'O'(other stateful configuration) bit, 'L' bit and 'A' bit from the captured file. I am using Tshark command line as i am doing this for automation and cannot use wireshark GUI for reading these flags.I want to read these flags from the capture file , I am currently using ; tshark -r <capturedfile> -R "icmpv6.type == 134" -w <newcapturedfile> but it only gives the RA packets but I need to read the boolean flag bits. -Gourab Majumdar. asked 21 Oct '13, 21:42  Gourab Majumdar |
One Answer:
That's because you wrote the frames (option -w) that matched your filter into a new pcap file.
Please try this:
If you need more/other fields (flags), please try to find them here:
Regards answered 28 Oct '13, 07:53  Kurt Knochner ♦ |
Hi Kurt,
Thanks for the detailed filter. with the filter I am now getting the RA packets with the "M" and "O" flags/bits actually i want to display/read only those packets which are having M=1 and O=1 and not any others. right now I am getting all captures which are having those bits in the flags. I mean all RA packets. i tried the following :
tshark -nr Ra.pcap -R "icmpv6.type == 134" -T fields -e frame.number -e ipv6.src -e ipv6.dst -e icmpv6.mip6.flag.m==1 -e icmpv6.mip6.flag.o==1 -E header=y -E separator=;
but it did not work. how can we set the filter so that it reads only those packets which are having the bits SET and not others.
The
-eswitches indicate which fields to include in the output, they aren't filters. To only output those packets with the required flags you'll need to adjust the filter following the-Rswitch. You should be able to use the expressions you have (incorrectly) used in the-eswitches.as @grahamb said, please use the following tshark command