This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Retrieving Physical Layer Data Only

0

I know how to use the filter on both Wireshark and Tshark, however, I want to go even deeper into the analysis of the data. To do this I want to access only the physical layer transmissions of the specified type.

For example, the following drag-n-drop batch file will filter out all IP packets in a pcap file:

"C:\Program Files\Wireshark\tshark.exe" -nr "%~1" -P -Y "ip" -o "gui.column.format:\"Time\",\"%%t\""  > "%~1.ip.tt"

My dilemma is that I only want the times at which IP packets were sent at the physical layer, not all layers. What do I need to do (/add to this batch file) to filter those packets out?

A Tshark approach is much more preferred.

asked 17 Feb '16, 08:27

Midimistro's gravatar image

Midimistro
116610
accept rate: 50%

Are you saying that the timestamp you get now is something different? Are you aware where this timestamp comes from and what it represents?

(17 Feb '16, 12:29) Jaap ♦

I am quite aware of where these timestamps come from. The filter above includes all the instances of the IP protocol, whether the instance is in the physical layer or not. What I am looking for is physical layer IP instances, and nothing more.

(17 Feb '16, 13:09) Midimistro
2 Answers:
active answersoldest answersnewest answerspopular answers
0

What I am looking for is physical layer IP instances, and nothing more.

If you want a general solution, there isn't one.

If you want a solution for a particular link layer, try, for example, "eth.type == 0x0800 || eth.type == 0x86dd" for IPv4 or IPv6 directly atop Ethernet.

However, that won't filter out Ethernet transported atop some other protocol ultimately running atop physical Ethernet. There is no solution for that.

permanent link

answered 18 Feb '16, 00:23

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

0

Could you slice the capture with editcap so there is nothing beyond the first IP layer, e.g. editcap -s xx in.pcap out.pcap, then use the sliced capture for your calcs?

permanent link

answered 18 Feb '16, 03:15

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

Thats not what I am looking for. What I am trying to do is get packet information from the PHY layer as described in this picture and only that data, no other layer info (aka I want to leave out all the layers above it):

lte_data_flow diagram

If this is possible, let me know. Whether it be the IP packets themselves or the transport block, as long as its one or the other, and not both, that's what I am looking for.

(19 Feb '16, 04:37) Midimistro

Can you show a picture of the packet tree in Wireshark indicating the data you want? Even better, add a capture as well.

(19 Feb '16, 04:42) grahamb ♦

I can add a small snapshot, but because the data is confidential, I cannot release the capture.

(19 Feb '16, 12:19) Midimistro
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×1,620
×832
×165
×12
×5

question asked: 17 Feb '16, 08:27

question was seen: 4,004 times

last updated: 19 Feb '16, 12:19

Related questions

library for display filters

tshark 1.8.2: invalid option -- 'Y'

how to retrieve packet information using wireshark commands

If a Tshark field occurs more than once for a single packet, how can I specify the one do I need?

Get list of application layer protocols only

DNS leak: Looking up own hostname with DNS queries

TShark Batch-process .Cap files to find HTTP delay delta & output to CSV

Is there any way to optimize lua dissectors

PSML and PDML file consistency between Wireshark on Windows, WireShark on Linux, and Tshark

Wireshark Change time UTC

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A