Wireshark-users: [Wireshark-users] tshark tzsp capture
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Alexander Kosykh <avkosykh@xxxxxxxxx>
Date: Wed, 25 Nov 2009 23:29:52 +0300
I can't understand why then i do this command tshark -i extif -f "udp port 7002" -n -d udp.port==7002,tzsp I see packets without tzsp encapsulation on my console
Capturing on extif
0.000000 172.16.170.2 -> 213.248.49.44 TCP 51217 > 7503 [ACK] Seq=1 Ack=1 Win=63393 Len=0
0.031443 172.16.170.2 -> 88.212.223.2 TCP 49280 > 29000 [ACK] Seq=1 Ack=1 Win=64223 Len=0
0.051480 88.212.223.2 -> 172.16.170.2 TCP 29000 > 49280 [PSH, ACK] Seq=1 Ack=1 Win=15829 Len=15
0.209293 213.248.49.44 -> 172.16.170.2 TCP 7503 > 51217 [PSH, ACK] Seq=1 Ack=1 Win=65535 Len=197
0.249949 172.16.170.2 -> 88.212.223.2 TCP 49280 > 29000 [ACK] Seq=1 Ack=16 Win=64208 Len=0
0.410098 172.16.170.2 -> 213.248.49.44 TCP 51217 > 7503 [ACK] Seq=1 Ack=198 Win=64800 Len=0
0.427358 88.212.223.2 -> 172.16.170.2 TCP 29000 > 49280 [PSH, ACK] Seq=16 Ack=1 Win=15829 Len=22

but if I set -w outfile and then look the file with tshark -n -r outfile I see only tzsp encapsulated packets

3603 289.761278 10.100.15.19 -> 10.101.15.69 UDP Source port: 53908 Destination port: 7002
3604 289.961221 10.100.15.19 -> 10.101.15.69 UDP Source port: 53908 Destination port: 7002
3605 289.982428 10.100.15.19 -> 10.101.15.69 UDP Source port: 53908 Destination port: 7002
3606 290.181036 10.100.15.19 -> 10.101.15.69 UDP Source port: 53908 Destination port: 7002
3607 290.202244 10.100.15.19 -> 10.101.15.69 UDP Source port: 53908 Destination port: 7002
3608 290.400268 10.100.15.19 -> 10.101.15.69 UDP Source port: 53908 Destination port: 7002
3609 290.421330 10.100.15.19 -> 10.101.15.69 UDP Source port: 53908 Destination port: 7002

how can i save traffic to file without tzsp encapsulation?

Best regards,
Alexander Kosykh.