This is a static archive of our old Q&A Site. Please post any new questions and answers at

tshark commands -e and -T


I want to print the information that I need of a PCAP file. I know that I can use the command "tshark -e":

tshark -r rdpcap.pcap -e ip.src -e ip.dst -e data -e frame.number -T fields

My question is: How can I display the "id source port", "id destination port"?

And for "-e data", is it possible to display just the first 8 bytes?

asked 02 May '12, 08:32

Alice's gravatar image

accept rate: 0%

edited 02 May '12, 14:47

helloworld's gravatar image


One Answer:


I guess you are interested in tcp.srcport and tcp.dstport, so please use this:

tshark -i 1 -n -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e data -T fields

If you need the UDP source port, replace tcp with udp, e.g. udp.srcport.

And for "-e data", is it possible to display juste the first 8 bytes?

Unfortunately, this is not possible. However, you can limit the total packet size with editcap, effectively getting only 8 bytes of data, at least in the most cases.


tshark -i 1 -n -w http.pcap


editcap.exe -s62  http.pcap http_truncated.pcap


tshark -i 1 -n -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e data -T fields -r http_truncated.pcap


answered 02 May '12, 11:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
accept rate: 15%

edited 03 May '12, 15:46

helloworld's gravatar image


Thanks you. I tried "-e udp.srcport", that works!! I have another question, that will be so nice if you can help me again. If i want to print the ID, is there something like "-e id.src, -e id.dst" ? I tried this command, but it doesn't work. And for "-e frame.time", i just want to display "Mai 3, 2012 10:00:00", not like "Mai 3, 2012 10:00:00:958252000", can I?


(03 May '12, 00:59) Alice

What is the element you are calling "id"? To see (most) of the element names that you can supply to -e open the capture in the Wireshark GUI click on the field you are interested in in the packet tree and the status bar will show you the field name.

There are a number of other frame.timeXXX fields, you could use but they all display fractional seconds. The format you require doesn't appear to be supported, and the -t and -u parameters don't affect field values.

(03 May '12, 02:29) grahamb ♦

what do you meand by "ID"? Is it the IP ID? If yes, please use -e"

(03 May '12, 03:59) Kurt Knochner ♦