On Tue, 19 Aug 2008 22:59:33 +0100 paritosh kulkarni wrote:
> Thanks Joan this command works but still it gives the protocol in protocol
number format.
> Is it the way oit shows or we can change it some other way.
Well, I've tried something else: custom columns:
$ tshark -o column.format:""No.", "%m", "Time", "%t", "Source", "%s", "Destinat
ion", "%d", "Protocol", "%p", "srcport", "%uS", "dstport", "%uD", "len",
"%L",
"tcp.flags.ack", "%Cus:tcp.flags.ack", "tcp.flags.syn", "%Cus:tcp.flags.syn""
-
r test.cap | head
1 0.000000 00:0d:8d:66:86:ce -> ff:ff:ff:ff:ff:ff ARP 42
2 0.000265 00:02:44:49:42:7b -> 00:0d:8d:66:86:ce ARP 60
3 0.000278 192.168.1.4 -> 210.61.144.37 DNS 64120 53 76
4 0.008086 210.61.144.37 -> 192.168.1.4 DNS 53 64120 380
5 0.010454 192.168.1.4 -> 64.149.93.104 TCP 1090 80 62 Set Set
6 0.025914 64.149.93.104 -> 192.168.1.4 TCP 80 1090 62 Set Set
7 0.025976 192.168.1.4 -> 64.149.93.104 TCP 1090 80 54 Set Set
8 0.032307 192.168.1.4 -> 64.149.93.104 HTTP 1090 80 481 Set Set
9 0.044930 64.149.93.104 -> 192.168.1.4 TCP 80 1090 60 Set Set
10 0.053650 64.149.93.104 -> 192.168.1.4 TCP 80 1090 1472 Set Set
* and Yes, you've got your protocol
** but it doesn't show the boolean value of the tcp.flags (just set or nothing)
BTW Wireshark gives the same result.
Grtz
Joan