Wireshark-users: Re: [Wireshark-users] Can I see all protocol dissection through tshark?

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Mon, 2 Mar 2009 12:20:00 +0100
Yes, you can use the "-V" command line option to see the complete dissection tree:
 
$ tshark -r client.cap -R http.request -c1 -V)
Frame 4 (160 bytes on wire, 160 bytes captured)
    Arrival Time: Sep 23, 2008 22:31:59.249141000
    [Time delta from previous captured frame: 0.000589000 seconds]
    [Time delta from previous displayed frame: 0.002689000 seconds]
    [Time since reference or first frame: 0.002689000 seconds]
    Frame Number: 4
    Frame Length: 160 bytes
    Capture Length: 160 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:tcp:http]
Ethernet II, Src: IntelCor_61:3a:ad (00:1c:bf:61:3a:ad), Dst: JuniperN_bb:d1:3b (00:12:1e:bb:d1:3b)
    Destination: JuniperN_bb:d1:3b (00:12:1e:bb:d1:3b)
        Address: JuniperN_bb:d1:3b (00:12:1e:bb:d1:3b)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: IntelCor_61:3a:ad (00:1c:bf:61:3a:ad)
        Address: IntelCor_61:3a:ad (00:1c:bf:61:3a:ad)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.46 (192.168.1.46), Dst: 192.168.1.20 (192.168.1.20)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 146
    Identification: 0x588c (22668)
    Flags: 0x04 (Don't Fragment)
        0... = Reserved bit: Not set
        .1.. = Don't fragment: Set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 128
    Protocol: TCP (0x06)
    Header checksum: 0x1e47 [correct]
        [Good: True]
        [Bad : False]
    Source: 192.168.1.46 (192.168.1.46)
    Destination: 192.168.1.20 (192.168.1.20)
Transmission Control Protocol, Src Port: 43426 (43426), Dst Port: http (80), Seq: 1, Ack: 1, Len: 106
    Source port: 43426 (43426)
    Destination port: http (80)
    [Stream index: 0]
    Sequence number: 1    (relative sequence number)
    [Next sequence number: 107    (relative sequence number)]
    Acknowledgement number: 1    (relative ack number)
    Header length: 20 bytes
    Flags: 0x18 (PSH, ACK)
        0... .... = Congestion Window Reduced (CWR): Not set
        .0.. .... = ECN-Echo: Not set
        ..0. .... = Urgent: Not set
        ...1 .... = Acknowledgement: Set
        .... 1... = Push: Set
        .... .0.. = Reset: Not set
        .... ..0. = Syn: Not set
        .... ...0 = Fin: Not set
    Window size: 128000 (scaled)
    Checksum: 0x7d5b [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
    [SEQ/ACK analysis]
        [Number of bytes in flight: 106]
    [Timestamps]
        [Time since first frame in this TCP stream: 0.002689000 seconds]
        [Time since previous frame in this TCP stream: 0.000589000 seconds]
Hypertext Transfer Protocol
    GET / HTTP/1.0\r\n
        Request Method: GET
        Request URI: /
        Request Version: HTTP/1.0
    User-Agent: Wget/1.11.3\r\n
    Accept: */*\r\n
    Host: brutus.netcc.local\r\n
    Connection: Keep-Alive\r\n
    \r\n
 
$
 
 
----- Original Message -----
From: Beno, Tal
Sent: Monday, March 02, 2009 11:13 AM
Subject: [Wireshark-users] Can I see all protocol dissection through tshark?

Hi,

 

I am fairly new and am still learning the basics.

I am trying to use tshark for background only capturing and analysis (no display needed\wanted).

I am seeing in the captured stream only the pcap protocols such as TCP.

 

My need is to dissect the packets also for all the additional protocols as supported in the Wireshark UI (HTTP, FTP, TELNET …).

Is it possible through tshark (or any other non UI way)?

 

Thanks,

Tal


___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe