Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] tshark doesn't capture what wireshark does

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: José María Polvorosa Amor <jospolamo@xxxxxxxxxxx>
Date: Tue, 5 Feb 2008 13:21:49 +0000

Dear friend,

I need to use "tshark" because it's integrated in a C program that takes it's output data and process it.
The purpose of using tshark is to collect ftp and ftp-data packets in a ftp transfer (myServer->myPC).
But, when I filter (read filter sintax) using : "tshark -p -R ftp", tshark doesn't collect any data or when it collects something, this data is incompleted or random, but it doesn't happen with wireshark (gui).
Tshark should collect all FTP data: REQUEST, Entering passive mode, Opening bynary mode, all FTP-DATA (chopped file) and finally Tranfer Complete. Wireshark does it

Example:
--I transfer a file from myServer to myPC. Wireshark is sniffing on myPC.
1. Wireshark (gui) is sniffing at the same time. Then I filter packets to show only "ftp or ftp-data". Everything OK
2. Tshark is sniffing at the same time. Command: tshark -i eth0 -p -R "ftp or ftp-data". Sometimes it collect 1 packet, sometimes 4 packets, but always first packets, never "FTP Response: Transfer complete" that is the last one in a correct transfer or ftp-data that contents file-data.

I also updated my Fedora 6 kernel (2.6.20-1.2962), but I don't know if it affects, all my modules work properly.
So, I will be pleased if someone could help me, is it problem of the kernel or maybe the update modified wireshark? I changed wireshark version, reinstall new one and everything goes on. I'm a bit desesperated.

Thank you all. Best regards
--------
Information from : wireshark -v
wireshark 0.99.3a

Copyright 1998-2006 Gerald Combs and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GTK+ 2.10.2, with GLib 2.12.2, with libpcap 0.9.4,
with libz 1.2.3, with libpcre 6.6, with Net-SNMP 5.3.1, without ADNS,
without Lua.

Running with libpcap version 0.9.4 on Linux 2.6.20-1.2962.fc6.
--------


_________________________________________________________________
Tecnología, moda, motor, viajes,…suscríbete a nuestros boletines para estar siempre a la última
Guapos y guapas, clips musicales y estrenos de cine.
  • Follow-Ups:
    • Re: [Wireshark-users] tshark doesn't capture what wireshark does
      • From: Bill Meier
  • Prev by Date: Re: [Wireshark-users] Wireshark scripting?
  • Next by Date: [Wireshark-users] how to convert ssl pcap to decrypted pcap file that can be used with tcpflow
  • Previous by thread: Re: [Wireshark-users] Wireshark scripting?
  • Next by thread: Re: [Wireshark-users] tshark doesn't capture what wireshark does
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation