This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Difference TShark / Wireshark when load a pcap

0

Hi to all,

After merge 2 two pcap with the command "mergepcap -a 1.pcap 2.pcap -w result.pcap" the output from TShark and Wireshark is different.

In detail, if i open the result.pcap with TShark with this command, /usr/bin/tshark -r result.pcap -T fields -e tcp.stream -e frame.time -e tcp.checksum -R "tcp" | grep ".02696400" | more

The result is "20 Dec 15, 2011 11:12:20.026964000 0xf3a8"

When i open the result.pcap with Wireshark and the filter is tcp.stream eq 20 i don't have any record.

The same packet (Dec 15, 2011 11:12:20.026964000 0xf3a8) is visible if i put in the filter of wireshark "tcp.stream eq 56".

Why ???? i wrong when merge 2 pcap files ?

asked 11 Jan '12, 05:38

fcafra's gravatar image

fcafra
1111
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
1

I doubt that the issue has anything to do with mergecap.

tcp.stream is a generated field: that is: the tcp dissector just increments a counter each time it sees what it thinks is a new "stream" (aka connection aka conversation).

For example: tcp.stream will probably be different for the same frame in 1.pcap vs result.pcap.

I don't specifically know why you get different results for tshark vs wireshark when reading result.pcap.

Do you get a different stream value if you remove the -R tcp when invoking tshark ?

permanent link

answered 12 Jan '12, 08:31

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Thank's Bill for your response, i try to remove -R tcp but the result is not change... i have the same error.

Maybe, wireshark adjust the field tcp.stream when loading the pcap file... it's possible this ?

and if correct this answer, there is a tshark method or another method to adjust tcp.stream field when i try to load entire pcap file ?

(13 Jan '12, 00:45) fcafra

I understand the problem.

if i launch tshark version TShark 1.6.5 it's all ok....

when i try, i have use tshark 1.2.7....

Sorry, and.. thank's...

(13 Jan '12, 03:29) fcafra

(I converted your answer to a comment, please see the FAQ for details)

Yes, the way tcp.stream numbers are generated has changed between 1.2.7 and 1.6.5

(14 Jan '12, 02:08) SYN-bit ♦♦

Thank's SYNbit and sorry :)

Can i ask another question here ?

(18 Jan '12, 02:26) fcafra
1

If "here" means "on the ask.wireshark.org" site, yes, you can ask another question here.

If "here" means "as a comment on this answer", then, while the site's software doesn't prevent that, you really shouldn't do that - Q&A sites such as this really work best if each question is asked separately, so that another user with the same or a similar question can more easily find a question. (Note that Q&A sites, such as this, aren't forums.)

(18 Jan '12, 12:31) Guy Harris ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×1,620
×832
×13

question asked: 11 Jan '12, 05:38

question was seen: 5,590 times

last updated: 18 Jan '12, 12:31

Related questions

Cumulative Bytes

Tshark | Best Performance, Intel vs. AMD

After converting pcap to text , I want only data part in text file how can i do that?

PSML and PDML file consistency between Wireshark on Windows, WireShark on Linux, and Tshark

Wireshark Change time UTC

Filter multiple IPs

stream number for udp

How do .lua files get input from wireshark?

Save tcp stream according to number of packets?

Wireshark save output file name Date

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A