This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

can anyone help me before i pull my hair out!

0

yes i am a bit new to this. i thought i knew what was in front of me, i realize i do not. bpf syntax makes me want to scream! i hate it. anyway this is what i want to accomplish. this is a TSHARK question on a win 7 machine

i simply want to OMIT THE DISPLAY/CAPTURE OF THIS>> [TCP segment of a reassembled PDU]

that is what i see endlessly in SSL traffic. it drives me nuts. i am suing this syntax and tshark totally ignores it and bypasses it

tshark -Y !tcp.continuation_to !port 53 or udp ( i wish to keep seeing UDP when i need to)

it also ignores this

!tcp.reassembled_in

my question is WHY?????? does anyone know the damn syntax to drop retransmitted PDUs??????

thank you immensely!

extra bonus help: do we know of a way to also have tshark not post the number of packets to the screen? like 1,2,3,4 like it keeps doing also, why in the world has no one ever came up with a way to put SPACES between packet line output? wheter it be in ngrep/this/ or tcpdump!

asked 17 Nov '14, 02:29

McKittrick's gravatar image

McKittrick
11334
accept rate: 0%

why in the world has no one ever came up with a way to put SPACES between packet line output?

Spaces meaning blanks? What's an example of output that doesn't have spaces?

(19 Nov '14, 22:25) Guy Harris ♦♦

2 Answers:

0

You are asking several questions; in the future, it would be better to submit a separate question for each query rather than to lump a bunch of them into a single question.

I'll start with the first one:

i simply want to OMIT THE DISPLAY/CAPTURE OF THIS>> [TCP segment of a reassembled PDU]

You need to de-select the "Allow subdissector to reassemble TCP streams" TCP preference, which is done via:

Edit -> Preferences -> Protocols -> TCP -> Allow subdissector to reassemble TCP streams

If you don't want to change the preference permanently, you can change it on the tshark command-line by using the -o tcp.desegment_tcp_streams:FALSE option.


As for your second question:

do we know of a way to also have tshark not post the number of packets to the screen?

One way of accomplihsing this is to manually specify the column format using the -o "gui.column.format command-line option. For example, to specify all the default column except for the packet number, you can use:

  • On Windows:

    tshark.exe -o "gui.column.format:\"Time\",\"%t\",\"Source\",\"%s\",\"Destination\",\"%d\",\"Protocol\",\"%p\",\"Length\",\"%L\",\"Info\",\"%i\""

  • On *nix:

    tshark -o 'gui.column.format:"Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i"'

Run tshark -G column-formats for more information.


Finally:

why in the world has no one ever came up with a way to put SPACES between packet line output?

Probably because nobody has ever expressed a desire for it before nor took the time to implement such a feature. You are welcome to do so. The -S option does allow the user to specify a packet separator, but it currently only applies when printing packet details. It could be enhanced to allow a separator to be specified even when only printing packet summary information.


answered 17 Nov '14, 10:14

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

thank you so much! you got rid of the issue i had with seeing the retransmitted PDUs. the other question still seems to linger. the column output you threw up i typed exact and still see those pesky numbers. ill show you

C:\Users\McKittrick\Desktop>tshark -o "gui.column.format:\"Time\",\"%t\",\"Source\",\"%s\",\"Destination\",\"%d\",\"Protocol\",\"%p\",\"Length\",\"%L\",\"Info\" ,\"%i\""

Capturing on 'Local Area Connection'

fe80::21b:54ff:feca:fdd9 -> ff02::1:ff2a:93ed ICMPv6 86 Neighbor Solicitation fo r 2001:48f8:24:452:5510:d93:8c2a:93ed from 00:1b:54:ca:fd:d9

1 192.168.0.1 -> 224.0.0.1 IGMPv3 60 Membership Query, general

2 fe80::21b:54ff:feca:fdd9 -> ff02::1:ff16:2063 ICMPv6 86 Neighbor Solicitation

see the 1 and 2? lastly, and this will be my last question in relation to what i posted, how do i use an -o flag to omit seeing this> 192.168.0.16 SSL 1514 Continuation Data (the CONTINUATION DATA i just need one instance of it, not an entire screen full, lol)

and once again, ty!

(19 Nov '14, 21:15) McKittrick

the column output you threw up i typed exact and still see those pesky numbers

What version of tshark is this? (What does tshark -v print?) Your output appears not to show a packet number before the first line, but shows one before the second and third lines; there might be a bug that causes tshark to print the packet counter - normally printed, by default, only if you're capturing to a binary file with -w, rather than capturing and dissecting and printing - even when capturing and dissecting and printing.

(19 Nov '14, 22:23) Guy Harris ♦♦

Regarding the packet counts, you can also refer to my answer to this question, which has links to the fix for the bug that Guy referred to, as well as listing some possible options for avoiding this problem.

(20 Nov '14, 06:15) cmaynard ♦♦

0
tshark -Y !tcp.continuation_to !port 53 or udp

There are several problems with that.

First of all, you probably means something such as

tshark -Y "!tcp.continuation_to and (!port 53 or udp)"

Furthermore, however, if you're capturing and printing, or reading through the capture file in one pass, it's impossible for TShark to determine what the last frame is in a reassembled packet, as that would require predicting the contents of future packets, which is a bit difficult. You would have to do a two-pass analysis of an already-captured trace to do that; this means you can't do it in a live capture, and would have to use the -2 flag for a two-pass analysis, and use the -R flag rather than the -Y flag.

It might be useful for *shark to put a field into the dissection indicating whether a frame is not at the end of a reassembled packet, so it could be used in a filter. Sadly, it doesn't do so currently.

So about the only thing you can currently do is disable reassembly, as per the other answer.

answered 20 Nov '14, 00:45

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 20 Nov '14, 00:47