Christos Papoulas
Reputation: 2568
How to capture only TCP traffic with tshark
I have the following command:
tshark -n -r ./file.dump -Y "(tcp.flags.syn==1 or tcp.flags.ack==1 and tcp.flags.fin==0)"
For some reason prints and ICMP messages.
How can tell tshark to print only tcp packets?
The only that I'm thinking is to grep it grep "TCP". But it not a good solution.
Upvotes: 1
Views: 1944
Answers (1)
user862787
Reputation:
For some reason prints ICMP messages.
Wireshark/TShark dissect the payload of ICMP messages; if they happen to include part of a TCP segment, that will be dissected, so the packet will contain those flags).
How can tell tshark to print only tcp packets?
tshark -n -r ./file.dump -Y "not icmp and (tcp.flags.syn==1 or tcp.flags.ack==1 and tcp.flags.fin==0)"
Upvotes: 3
Related Questions
- tshark.exe: capture traffic without content, only headers of packets
- tshark to filter UDP flows
- how to capture package at a specific port on any interface using tshark
- tshark: capture specific bytes from a packet data (content)
- How to get source and destination port with tshark regardless of protocol?
- tshark - only output application layer decode
- How to filter TCP option with wireshark?
- How to capture only incoming TCP streams in WireShark?
- Tshark - can't display just data of custom protocol
- Sniffing packets using tshark