This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark can’t recognize trimmed udp packets

0

Hi there,

I am using iperf to generate udp traffic between two wireless nodes.

Simulatenously I am sniffing the traffic on a seperate monitor interface with tcpdump where snaplen option is set to 102 (i trim the packets to reduce the trace size)

When I open the trace in Wireshark, it is recognized as an udp packet. However, tshark doesn't even recognize these packets as ip packets. Filters such as ip, ip.addr, udp display no results in tshark, while in Wireshark they work perfectly fine.

Does anyone know why this is, and is there a way to change this behaviour of tshark?

asked 30 Jan '15, 04:13

itrustedyou's gravatar image

itrustedyou
1334
accept rate: 0%


One Answer:

0

Since Wireshark and tshark use the same dissection engine, they should show the same results. Assuming you're using tshark and wireshark on the same machine.

One other thing to take into account is to check whether you're using the same configuration profile in tshark and wireshark.

Can you share the output of tshark -nlr <pcap-file> -V -c1?

answered 30 Jan '15, 05:45

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

I am using them on the same machine.

here is the output I get from your command, for one of the unrecognized UDP packets - http://paste2.org/_dkjdkMtA

Thank you very much for your answer!

(02 Feb '15, 12:07) itrustedyou