On Tue, 19 Aug 2008 15:41:30 +0100 paritosh kulkarni wrote:
> one thing i want to ask is i get the protocol and flags in numerical values
> how to get them in the states we see as in wireshark.
> i.e like TCP instead as 0x06 and flags as SYN or FIn or SYN/ACK instead
of 0x18.
I don't think so, but correct me if I'm wrong.
If you use this command, you can at least see which flags are set.
$ tshark -r test.cap -T fields -e frame.number -e frame.time -e ip.src
-e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e frame.len -e tcp.len
-e tcp.flags.cwr -e tcp.flags.ecn -e tcp.flags.urg -e tcp.flags.ack -e tcp.flags.push
-e tcp.flags.reset -e tcp.flags.syn -E header=y > test.csv
Hope this helps somehow
Joan