This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

error while trying to use tshark

0

Error FIT was expected in this contact Command I gave

C:\Program Files (x86)\Wireshark>tshark -r C:\Users\Karnail.Home-Notebook\Documents\MS - FIT\CYB5675\Week 3\datasets\lbl-internal.20050106-1323.port025.dump.anon -R frame.sequence eq \"tcp.flags.syn==1 && tcp.flags.ack==0"

What Am I trying to do? I want to list all the packets from a PCAP file where syn=1 and ack=0 i.e. half open port scan.

Error I get is Error FIT was expected in this contact

Please help me resolve it.

asked 27 Sep '15, 06:52

karnails's gravatar image

karnails
10114
accept rate: 0%

edited 27 Sep '15, 10:23

grahamb's gravatar image

grahamb ♦
19.8k330206

One Answer:

1

You'll need to fix your quoting because the file path has spaces, and then your read filter is incorrect. Try this:

tshark -r "C:\Users\Karnail.Home-Notebook\Documents\MS - FIT\CYB5675\Week 3\datasets\lbl-internal.20050106-1323.port025.dump.anon" -Y "tcp.flags.syn==1 && tcp.flags.ack==0"

answered 27 Sep '15, 10:39

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thanks How do I output of the command above (one that you fixed) to a file, say csv?

(27 Sep '15, 11:02) karnails

To redirect to a file, just use normal shell redirection, e.g. > myfile.txt.

To make a csv, look at the -T fields -e field.name1 -e field.name2 ... options, along with "-E separator=,", e.g. to display the frame number, ip.source and ip.destination use:

... -T fields -e frame.number -e ip.src -e ip.dst -E "separator=," > myfile.csv

Field names can be found in Wireshark by selecting the field of interest in the packet details tree and looking at the field name in the status bar.

You can see the options on the tshark man page.

(27 Sep '15, 11:20) grahamb ♦