I want to print the information that I need of a PCAP file. I know that I can use the command "tshark -e": My question is: How can I display the "id source port", "id destination port"? And for "-e data", is it possible to display just the first 8 bytes? asked 02 May '12, 08:32  Alice edited 02 May '12, 14:47  helloworld |
One Answer:
I guess you are interested in If you need the UDP source port, replace
Unfortunately, this is not possible. However, you can limit the total packet size with editcap, effectively getting only 8 bytes of data, at least in the most cases. Capture |
Thanks you. I tried "-e udp.srcport", that works!! I have another question, that will be so nice if you can help me again. If i want to print the ID, is there something like "-e id.src, -e id.dst" ? I tried this command, but it doesn't work. And for "-e frame.time", i just want to display "Mai 3, 2012 10:00:00", not like "Mai 3, 2012 10:00:00:958252000", can I?
Regards
What is the element you are calling "id"? To see (most) of the element names that you can supply to
-eopen the capture in the Wireshark GUI click on the field you are interested in in the packet tree and the status bar will show you the field name.There are a number of other frame.timeXXX fields, you could use but they all display fractional seconds. The format you require doesn't appear to be supported, and the
-tand-uparameters don't affect field values.what do you meand by "ID"? Is it the IP ID? If yes, please use -e ip.id"