Re: question about tshark output

[Jaap Keuter <jaap.keuter () xs4all nl>]

Hi, 

The absence of the value simply means the value is not there, which, given the field you requested, isn’t a surprise.

Try reshuffling the order of fields requested and see what happens.

Thanks,
Jaap

> On 03 Aug 2016, at 11:14, Martin Sehnoutka <msehnout () redhat com> wrote:
>
> Hi,
>
> I have a question about tshark output. Let's say, that I have capture
> like this:
>
> $ tshark -r test.pcap | head --lines 5
>  1   0.000000   7.56.29.59 → 7.39.4.46    TCP 74 53996→80 [SYN] Seq=0
> Win=29200 Len=0 MSS=1460 SACK_PERM=1 TSval=2800540155 TSecr=0 WS=1024
>  2   0.000260    7.39.4.46 → 7.56.29.59   TCP 74 80→53996 [SYN, ACK]
> Seq=0 Ack=1 Win=14480 Len=0 MSS=1460 SACK_PERM=1 TSval=3196888027
> TSecr=2800540155 WS=1024
>  3   0.000307   7.56.29.59 → 7.39.4.46    TCP 66 53996→80 [ACK] Seq=1
> Ack=1 Win=29696 Len=0 TSval=2800540156 TSecr=3196888027
>  4   0.000431   7.56.29.59 → 7.39.4.46    TCP 205 53996→80 [PSH, ACK]
> Seq=1 Ack=1 Win=29696 Len=139 TSval=2800540156 TSecr=3196888027
>  5   0.000712    7.39.4.46 → 7.56.29.59   TCP 66 80→53996 [ACK] Seq=1
> Ack=140 Win=16384 Len=0 TSval=3196888027 TSecr=2800540156
>
> and I'd like to filter it with this set up:
>
> $ tshark -r test.pcap -Tfields -e tcp.len -e frame.len -e data.len -E
> separator=, | head --lines=5
> 0,74,
> 0,74,
> 0,66,
> 139,205,139
> 0,66,
>
> Now, tcp.len is displayed as 0, but data.len is empty. Is it by design?
> Does it mean "not applicable"?
>
> Best regards,
>
> -- 
> Martin Sehnoutka
> Associate Software Engineer
> Brno, Purkyňova 99
> RED HAT | TRIED. TESTED. TRUSTED.

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    https://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe