This is our old Q&A Site. Please post any new questions and answers at

Hi there,

I am using iperf to generate udp traffic between two wireless nodes.

Simulatenously I am sniffing the traffic on a seperate monitor interface with tcpdump where snaplen option is set to 102 (i trim the packets to reduce the trace size)

When I open the trace in Wireshark, it is recognized as an udp packet. However, tshark doesn't even recognize these packets as ip packets. Filters such as ip, ip.addr, udp display no results in tshark, while in Wireshark they work perfectly fine.

Does anyone know why this is, and is there a way to change this behaviour of tshark?

asked 30 Jan '15, 04:13

itrustedyou's gravatar image

accept rate: 0%

Since Wireshark and tshark use the same dissection engine, they should show the same results. Assuming you're using tshark and wireshark on the same machine.

One other thing to take into account is to check whether you're using the same configuration profile in tshark and wireshark.

Can you share the output of tshark -nlr <pcap-file> -V -c1?

permanent link

answered 30 Jan '15, 05:45

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%

I am using them on the same machine.

here is the output I get from your command, for one of the unrecognized UDP packets -

Thank you very much for your answer!

(02 Feb '15, 12:07) itrustedyou
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 30 Jan '15, 04:13

question was seen: 1,621 times

last updated: 02 Feb '15, 12:07

p​o​w​e​r​e​d by O​S​Q​A