Hi,
I have a question about tshark output. Let's say, that I have capture
like this:
$ tshark -r test.pcap | head --lines 5
1 0.000000 7.56.29.59 → 7.39.4.46 TCP 74 53996→80 [SYN] Seq=0
Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2800540155 TSecr=0 WS=1024
2 0.000260 7.39.4.46 → 7.56.29.59 TCP 74 80→53996 [SYN, ACK]
Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=3196888027
TSecr=2800540155 WS=1024
3 0.000307 7.56.29.59 → 7.39.4.46 TCP 66 53996→80 [ACK] Seq=1
Ack=1 Win=29696 Len=0 TSval=2800540156 TSecr=3196888027
4 0.000431 7.56.29.59 → 7.39.4.46 TCP 205 53996→80 [PSH, ACK]
Seq=1 Ack=1 Win=29696 Len=139 TSval=2800540156 TSecr=3196888027
5 0.000712 7.39.4.46 → 7.56.29.59 TCP 66 80→53996 [ACK] Seq=1
Ack=140 Win=16384 Len=0 TSval=3196888027 TSecr=2800540156
and I'd like to filter it with this set up:
$ tshark -r test.pcap -Tfields -e tcp.len -e frame.len -e data.len -E
separator=, | head --lines=5
0,74,
0,74,
0,66,
139,205,139
0,66,
Now, tcp.len is displayed as 0, but data.len is empty. Is it by design?
Does it mean "not applicable"?
Best regards,
--
Martin Sehnoutka
Associate Software Engineer
Brno, Purkyňova 99
RED HAT | TRIED. TESTED. TRUSTED.
