This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark: The file “capture.cap” appears to have been cut short in the middle of a packet.

0

Hi All, is it possible to ignore this error and display the query results? I am just trying to obtain cipher information from connections using this command:

tshark -r capture.cap -V -2R ssl.handshake.type==1 -T fields -e ip.src -e ssl.handshake.version -e ssl.handshake.ciphersuite

tshark: The file "capture.cap" appears to have been cut short in the middle of a packet.

The file loads in the UI after displaying the same error messages and clicking OK, so I know the file is not corrupted. Let me know.

Thanks in advance!

asked 04 Nov '14, 10:59

StriclyFlava's gravatar image

StriclyFlava
1222
accept rate: 0%


One Answer:

0

Please try this:

tshark -r capture.cap -V -q -Y -R ssl.handshake.type==1 -T fields -e ip.src -e ssl.handshake.version -e ssl.handshake.ciphersuite

Regards
Kurt

answered 04 Nov '14, 13:22

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 04 Nov '14, 13:23

Thanks Kurt, however, this syntax does not work, it is just displays all of the options. I am using version 1.12.1 in case that helps.

Thanks

(04 Nov '14, 15:25) StriclyFlava

sorry, I forgot to delete -R.

tshark -r capture.cap -V -q -Y ssl.handshake.type==1 -T fields -e ip.src -e ssl.handshake.version -e ssl.handshake.ciphersuite

Does that work better?

(04 Nov '14, 15:53) Kurt Knochner ♦