This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark commands -e and -T

0

I want to print the information that I need of a PCAP file. I know that I can use the command "tshark -e":

tshark -r rdpcap.pcap -e ip.src -e ip.dst -e data -e frame.number -T fields

My question is: How can I display the "id source port", "id destination port"?

And for "-e data", is it possible to display just the first 8 bytes?

asked 02 May '12, 08:32

Alice's gravatar image

Alice
1333
accept rate: 0%

edited 02 May '12, 14:47

helloworld's gravatar image

helloworld
3.1k42041
One Answer:
active answersoldest answersnewest answerspopular answers
1

I guess you are interested in tcp.srcport and tcp.dstport, so please use this:

tshark -i 1 -n -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e data -T fields

If you need the UDP source port, replace tcp with udp, e.g. udp.srcport.

And for "-e data", is it possible to display juste the first 8 bytes?

Unfortunately, this is not possible. However, you can limit the total packet size with editcap, effectively getting only 8 bytes of data, at least in the most cases.

Capture

tshark -i 1 -n -w http.pcap

Truncate

editcap.exe -s62  http.pcap http_truncated.pcap

Print

tshark -i 1 -n -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e data -T fields -r http_truncated.pcap

Regards
Kurt

permanent link

answered 02 May '12, 11:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 May '12, 15:46

helloworld's gravatar image

helloworld
3.1k42041

Thanks you. I tried "-e udp.srcport", that works!! I have another question, that will be so nice if you can help me again. If i want to print the ID, is there something like "-e id.src, -e id.dst" ? I tried this command, but it doesn't work. And for "-e frame.time", i just want to display "Mai 3, 2012 10:00:00", not like "Mai 3, 2012 10:00:00:958252000", can I?

Regards

(03 May '12, 00:59) Alice

What is the element you are calling "id"? To see (most) of the element names that you can supply to -e open the capture in the Wireshark GUI click on the field you are interested in in the packet tree and the status bar will show you the field name.

There are a number of other frame.timeXXX fields, you could use but they all display fractional seconds. The format you require doesn't appear to be supported, and the -t and -u parameters don't affect field values.

(03 May '12, 02:29) grahamb ♦

what do you meand by "ID"? Is it the IP ID? If yes, please use -e ip.id"

(03 May '12, 03:59) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832

question asked: 02 May '12, 08:32

question was seen: 18,778 times

last updated: 03 May '12, 15:46

Related questions

wireshark_gtk / tshark 2.3.0 export http objects error

Localized LUA Dissector tostring() in TShark Output

Tshark tcp conv table

Can't export mac address as CSV

static tshark builds for linux and/or solaris sparc/x64

tshark hex dump

could the file name parameter in tshark be chinese characters?

Write Gzip Encoded HTTP as Inflated in PCAP File

Use tshark to analyze source and destination IPs from dumpfile?

Difference TShark / Wireshark when load a pcap

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A