Difference TShark / Wireshark when load a pcap

Hi to all,

After merge 2 two pcap with the command "mergepcap -a 1.pcap 2.pcap -w result.pcap" the output from TShark and Wireshark is different.

In detail, if i open the result.pcap with TShark with this command, /usr/bin/tshark -r result.pcap -T fields -e tcp.stream -e frame.time -e tcp.checksum -R "tcp" | grep ".02696400" | more

The result is "20 Dec 15, 2011 11:12:20.026964000 0xf3a8"

When i open the result.pcap with Wireshark and the filter is tcp.stream eq 20 i don't have any record.

The same packet (Dec 15, 2011 11:12:20.026964000 0xf3a8) is visible if i put in the filter of wireshark "tcp.stream eq 56".

Why ???? i wrong when merge 2 pcap files ?

difference tshark wireshark

asked 11 Jan '12, 05:38

fcafra
1●1●1●1
accept rate: 0%

One Answer:

active answers oldest answers newest answers popular answers

I doubt that the issue has anything to do with mergecap.

tcp.stream is a generated field: that is: the tcp dissector just increments a counter each time it sees what it thinks is a new "stream" (aka connection aka conversation).

For example: tcp.stream will probably be different for the same frame in 1.pcap vs result.pcap.

I don't specifically know why you get different results for tshark vs wireshark when reading result.pcap.

Do you get a different stream value if you remove the -R tcp when invoking tshark ?

permanent link

answered 12 Jan '12, 08:31

Bill Meier ♦♦
3.2k●1●8●50
accept rate: 17%

Thank's Bill for your response, i try to remove -R tcp but the result is not change... i have the same error.

Maybe, wireshark adjust the field tcp.stream when loading the pcap file... it's possible this ?

and if correct this answer, there is a tshark method or another method to adjust tcp.stream field when i try to load entire pcap file ?

(13 Jan '12, 00:45) fcafra

I understand the problem.

if i launch tshark version TShark 1.6.5 it's all ok....

when i try, i have use tshark 1.2.7....

Sorry, and.. thank's...

(13 Jan '12, 03:29) fcafra

(I converted your answer to a comment, please see the FAQ for details)

Yes, the way tcp.stream numbers are generated has changed between 1.2.7 and 1.6.5

(14 Jan '12, 02:08) SYN-bit ♦♦

Thank's SYNbit and sorry :)

Can i ask another question here ?

(18 Jan '12, 02:26) fcafra

If "here" means "on the ask.wireshark.org" site, yes, you can ask another question here.

If "here" means "as a comment on this answer", then, while the site's software doesn't prevent that, you really shouldn't do that - Q&A sites such as this really work best if each question is asked separately, so that another user with the same or a similar question can more easily find a question. (Note that Q&A sites, such as this, aren't forums.)

(18 Jan '12, 12:31) Guy Harris ♦♦

Your answer

toggle preview

community wiki:

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

*italic* or _italic_
**bold** or __bold__
link:[text](http://url.com/ "title")
image?![alt text](/path/img.jpg "title")
numbered list: 1. Foo 2. Bar
to add a line break simply add two spaces to where you would like the new line to be.
basic HTML tags are also supported

learn more about Markdown

Question tags:

wireshark ×1,620
tshark ×832
difference ×13

question asked: 11 Jan '12, 05:38

question was seen: 5,317 times

last updated: 18 Jan '12, 12:31

Difference TShark / Wireshark when load a pcap

Follow this question

You have a trillion packets.

You need to see four of them.

Don't have Wireshark?

Related questions