How to capture only TCP traffic with tshark

https://stackoverflow.com/questions/23595193

network-protocols
tshark

20-07-2023
|

Question

I have the following command:

tshark -n -r ./file.dump -Y "(tcp.flags.syn==1 or tcp.flags.ack==1 and tcp.flags.fin==0)"

For some reason prints and ICMP messages.

How can tell tshark to print only tcp packets?

The only that I'm thinking is to grep it grep "TCP". But it not a good solution.

Solution

For some reason prints ICMP messages.

Wireshark/TShark dissect the payload of ICMP messages; if they happen to include part of a TCP segment, that will be dissected, so the packet will contain those flags).

How can tell tshark to print only tcp packets?

tshark -n -r ./file.dump -Y "not icmp and (tcp.flags.syn==1 or tcp.flags.ack==1 and tcp.flags.fin==0)"

Licensed under: CC-BY-SA with attribution

Not affiliated with StackOverflow