Ethereal-users: Re: [Ethereal-users] Questions on using ethereal / tethereal

Note: This archive is from the project's previous web site, ethereal.com. This list is no longer active.

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Ronnie Sahlberg" <ronnie_sahlberg@xxxxxxxxxxxxxx>
Date: Tue, 17 Jun 2003 07:30:54 +1000
----- Original Message -----
From: "Heilmaier, Alois"
Sent: Monday, June 16, 2003 8:55 PM
Subject: [Ethereal-users] Questions on using ethereal / tethereal


> 5.) I tried following command tethereal  -r  <infile> -z
> "proto,colinfo,ip.proto == 6,tcp.nxtseq"
>     but I get following output:  00:02:37.966848   2.321526 85
> 199.105.181.41 -> 1.40.34.164  TCP 8292 > 8277 [PSH, ACK]
>     Seq=1435071514 Ack=1702498735 Win=8192 Len=27
>     With this command I should get the tcp-next-seq number to each packet
> output.

You need to specify the field tcp.nxtseq as part of the filter as well.
i.e.
-z "proto,colinfo,ip.proto==6&&tcp.nxtseq,tcp.nxtseq"

or simpler:

-z "proto,colinfo,tcp.nxtseq,tcp.nxtseq"


>
>     What is wrong ? I thought it was the filter expression "ip.proto == 6"
> but I also tried the
>     tethereal  -r  <infile> -z
> "proto,colinfo,frame.pkt_len>10,frame.pkt_len" which works.
>

This works since frame.pkt_len which is to be printed is also part of the
filter string.

>     So I also tried: tethereal  -r  <infile> -z
> "proto,colinfo,frame.pkt_len>10,tcp.hdr_len"
>     and there was no tcp.hdr_len field present on the output (==> so it
> could not be a wrong filter)

see above

>
>     Do I use the command wrong ? (I want to get some Information printed
in
> the output e.g. TCP-Flags or tcp.nxt_seq)
>
> 6.) I tried to make an error analys on a Tracefile, so I used the
following
> command:
>     tethereal -r  <infile> "-R tcp.checksum_bad == 1"
>     tethereal -r  <infile> "-R tcp.checksum_bad == 0"
>     ==> there was no output of any Frame. (I also checked for TCP-Frames
in
> Infile)

-R "tcp.checksum_bad"

i.e. just test if this field exist  in the packet.   you dont have to check
for a specific value.


>
> 7.) How can I use the tcp.analysis.* parameters ?
>     Some of them have boolean values so I can use them in Filters (like in
> Question 6)
>     Some analysis parameters have no values. How can I use that
parameters,
> or how is tcp.analysis.* used normally?

Just use -R "field-name"
and test if they exist in the packet regardless of their value.

>
>
> Best Ragards
> Alois Heilmaier
>
>
>
>
> _______________________________________________
> Ethereal-users mailing list
> Ethereal-users@xxxxxxxxxxxx
> http://www.ethereal.com/mailman/listinfo/ethereal-users