This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Copying displayed fields

0

Hello Sir, I want to copy displayed fields e.g. time and packet length only. I want to use only these fields for further processing of my dataset. How can I do that?

asked 08 Apr '12, 10:12

chandu85420's gravatar image

chandu85420
1111
accept rate: 0%


One Answer:

1

Have you looked at tshark, the command line version of Wireshark? Using the options -T fields -e frame.time_epoch -e frame.len gives you output of the form 1330082384.015475000 64 which is the frame time in seconds since the epoch (00:00:00 1/1/1970) and the length (on the wire) of the frame.

You can use any filterable fields with -e, in the GUI just click on the relevant part of the protocol in the packet tree and the field description and more importantly name, will be displayed in the status bar at the bottom left.

answered 09 Apr '12, 05:43

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

alt text

Actually I want to copy field values as shown in the figure below. Timing at which packet was seen and length. My objective is to collect time and packet size only so that I can make dataset comprising these field value and nothing else. please help.

(09 Apr '12, 23:16) chandu85420