Ning
Reputation: 419
How to extract all the http request's tcp sequence numer with tshark?
For some research reason, I need to get the http package's tcp sequence numbers. I have already got the pcap file, so how should I do that with tshark?
Thanks so much for answer my question!!!
Upvotes: 1
Views: 3602
Answers (2)
RpB
Reputation: 315
Using tshark,
apply the correspoding tcp filter (tcp.nxtseq) check for more from this page https://www.wireshark.org/docs/dfref/t/tcp.html
C:\Program Files\Wireshark>tshark -r C:<path to pcap>sample.pcap -T fields -e ip.src -e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e tcp.flags.ack -e tcp.flags.cwr -e tcp.flags.ecn -e tcp.flags.fin -e tcp.flags.ns -e tcp.flags.push -e tcp.flags.res -e tcp.flags.reset -e tcp.flags.syn -e tcp.flags.urg > C:/20Oct.txt
Upvotes: -1
cnicutar
Reputation: 182734
Something like this should do it:
tshark -r your_file -R http -T fields -e tcp.seq
The sequence numbers are relative or absolute as controlled by .wireshark/preferences. By default it's relative (so you will see small numbers). If you want absolute sequence numbers, edit preferences:
tcp.relative_sequence_numbers: FALSE
Upvotes: 4
Related Questions
- How do I use tshark to print request-response pairs from a pcap file?
- tshark: capture specific bytes from a packet data (content)
- TCP Sequence Number
- TCP packet sequence number
- How to extract raw data from TCP packets using Wireshark
- tshark 2.2.2 command line parameters to dump full http+json requests and responses
- tshark packet capture filter by request url
- How to capture only TCP traffic with tshark
- Sequence number TCP
- get sequence number using winpcap