This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to print “Information” field?

Hi,

I'm trying to look at real time capturing through tshark. The requirement is that I only see some specific fields. For example, if I want to quickly identify if there were dupAck or retransmission, I can only print out the "Information" field as shown up in wireshark GUI. I did -T -e but it doesn't help. I know that information is not a TCP field, but a wireshark function. How to achieve my goal for real time monitoring for such sensitive information?

thanks a lot!

tshark

asked 20 Aug '14, 02:42

SteveZhou
191●27●30●34
accept rate: 0%

edited 20 Aug '14, 03:23

grahamb ♦
19.8k●3●30●206

2 Answers:

Depending on your definition of "real time", tshark may not qualify as a real time application as it does take some time for packets to be processed.

Given the above qualification, you can print out the state of the tcp.analysis.xxx flags, e.g.

tshark -i xxx -T fields -e frame.number -e tcp.analysis.spurious_retransmission

You can see a list of all the tcp.analysis flags using tshark -G fields and then searching the output for "tcp.analysis" using your preferred method, e.g. grep.

Note that if you're running tshark for any length of time it's likely to run out of memory and crash. See the wiki page Out of Memory

answered 20 Aug '14, 03:22

grahamb ♦
19.8k●3●30●206
accept rate: 22%

See the answers to these questions for 2 possible solutions:

Note: With version 1.12, use -e _ws.col.Info, whereas previous versions (1.8 and 1.10 only, I believe), you would need to use -e col.Info.

answered 20 Aug '14, 06:41

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%