This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Difference TShark / Wireshark when load a pcap

0

Hi to all,

After merge 2 two pcap with the command "mergepcap -a 1.pcap 2.pcap -w result.pcap" the output from TShark and Wireshark is different.

In detail, if i open the result.pcap with TShark with this command, /usr/bin/tshark -r result.pcap -T fields -e tcp.stream -e frame.time -e tcp.checksum -R "tcp" | grep ".02696400" | more

The result is "20 Dec 15, 2011 11:12:20.026964000 0xf3a8"

When i open the result.pcap with Wireshark and the filter is tcp.stream eq 20 i don't have any record.

The same packet (Dec 15, 2011 11:12:20.026964000 0xf3a8) is visible if i put in the filter of wireshark "tcp.stream eq 56".

Why ???? i wrong when merge 2 pcap files ?

asked 11 Jan '12, 05:38

fcafra's gravatar image

fcafra
1111
accept rate: 0%

One Answer:

1

I doubt that the issue has anything to do with mergecap.

tcp.stream is a generated field: that is: the tcp dissector just increments a counter each time it sees what it thinks is a new "stream" (aka connection aka conversation).

For example: tcp.stream will probably be different for the same frame in 1.pcap vs result.pcap.

I don't specifically know why you get different results for tshark vs wireshark when reading result.pcap.

Do you get a different stream value if you remove the -R tcp when invoking tshark ?

answered 12 Jan '12, 08:31

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

Thank's Bill for your response, i try to remove -R tcp but the result is not change... i have the same error.

Maybe, wireshark adjust the field tcp.stream when loading the pcap file... it's possible this ?

and if correct this answer, there is a tshark method or another method to adjust tcp.stream field when i try to load entire pcap file ?

(13 Jan '12, 00:45) fcafra

I understand the problem.

if i launch tshark version TShark 1.6.5 it's all ok....

when i try, i have use tshark 1.2.7....

Sorry, and.. thank's...

(13 Jan '12, 03:29) fcafra

(I converted your answer to a comment, please see the FAQ for details)

Yes, the way tcp.stream numbers are generated has changed between 1.2.7 and 1.6.5

(14 Jan '12, 02:08) SYN-bit ♦♦

Thank's SYNbit and sorry :)

Can i ask another question here ?

(18 Jan '12, 02:26) fcafra
1

If "here" means "on the ask.wireshark.org" site, yes, you can ask another question here.

If "here" means "as a comment on this answer", then, while the site's software doesn't prevent that, you really shouldn't do that - Q&A sites such as this really work best if each question is asked separately, so that another user with the same or a similar question can more easily find a question. (Note that Q&A sites, such as this, aren't forums.)

(18 Jan '12, 12:31) Guy Harris ♦♦