yes i am a bit new to this. i thought i knew what was in front of me, i realize i do not. bpf syntax makes me want to scream! i hate it. anyway this is what i want to accomplish. this is a TSHARK question on a win 7 machine i simply want to OMIT THE DISPLAY/CAPTURE OF THIS>> [TCP segment of a reassembled PDU] that is what i see endlessly in SSL traffic. it drives me nuts. i am suing this syntax and tshark totally ignores it and bypasses it tshark -Y !tcp.continuation_to !port 53 or udp ( i wish to keep seeing UDP when i need to) it also ignores this !tcp.reassembled_in my question is WHY?????? does anyone know the damn syntax to drop retransmitted PDUs?????? thank you immensely! extra bonus help: do we know of a way to also have tshark not post the number of packets to the screen? like 1,2,3,4 like it keeps doing also, why in the world has no one ever came up with a way to put SPACES between packet line output? wheter it be in ngrep/this/ or tcpdump! asked 17 Nov '14, 02:29  McKittrick |
2 Answers:
You are asking several questions; in the future, it would be better to submit a separate question for each query rather than to lump a bunch of them into a single question. I'll start with the first one: i simply want to OMIT THE DISPLAY/CAPTURE OF THIS>> [TCP segment of a reassembled PDU] You need to de-select the " If you don't want to change the preference permanently, you can change it on the tshark command-line by using the As for your second question: do we know of a way to also have tshark not post the number of packets to the screen? One way of accomplihsing this is to manually specify the column format using the
Run Finally: why in the world has no one ever came up with a way to put SPACES between packet line output? Probably because nobody has ever expressed a desire for it before nor took the time to implement such a feature. You are welcome to do so. The answered 17 Nov '14, 10:14  cmaynard ♦♦ thank you so much! you got rid of the issue i had with seeing the retransmitted PDUs. the other question still seems to linger. the column output you threw up i typed exact and still see those pesky numbers. ill show you C:\Users\McKittrick\Desktop>tshark -o "gui.column.format:\"Time\",\"%t\",\"Source\",\"%s\",\"Destination\",\"%d\",\"Protocol\",\"%p\",\"Length\",\"%L\",\"Info\" ,\"%i\"" Capturing on 'Local Area Connection' fe80::21b:54ff:feca:fdd9 -> ff02::1:ff2a:93ed ICMPv6 86 Neighbor Solicitation fo r 2001:48f8:24:452:5510:d93:8c2a:93ed from 00:1b:54:ca:fd:d9 1 192.168.0.1 -> 224.0.0.1 IGMPv3 60 Membership Query, general 2 fe80::21b:54ff:feca:fdd9 -> ff02::1:ff16:2063 ICMPv6 86 Neighbor Solicitation see the 1 and 2? lastly, and this will be my last question in relation to what i posted, how do i use an -o flag to omit seeing this> 192.168.0.16 SSL 1514 Continuation Data (the CONTINUATION DATA i just need one instance of it, not an entire screen full, lol) and once again, ty! (19 Nov '14, 21:15) McKittrick
What version of tshark is this? (What does (19 Nov '14, 22:23) Guy Harris ♦♦ Regarding the packet counts, you can also refer to my answer to this question, which has links to the fix for the bug that Guy referred to, as well as listing some possible options for avoiding this problem. (20 Nov '14, 06:15) cmaynard ♦♦ |
There are several problems with that. First of all, you probably means something such as Furthermore, however, if you're capturing and printing, or reading through the capture file in one pass, it's impossible for TShark to determine what the last frame is in a reassembled packet, as that would require predicting the contents of future packets, which is a bit difficult. You would have to do a two-pass analysis of an already-captured trace to do that; this means you can't do it in a live capture, and would have to use the It might be useful for *shark to put a field into the dissection indicating whether a frame is not at the end of a reassembled packet, so it could be used in a filter. Sadly, it doesn't do so currently. So about the only thing you can currently do is disable reassembly, as per the other answer. answered 20 Nov '14, 00:45  Guy Harris ♦♦ edited 20 Nov '14, 00:47 |
Spaces meaning blanks? What's an example of output that doesn't have spaces?