The default columns that Wireshark uses are specified by the following in tshark:
Windows:
tshark -o "column.format:\"No.\",\"%Cus:frame.number:0:R\",\"Time\",\"%t\",\"Source\",\"%s\",\"Destination\",\"%d\",\"Protocol\",\"%p\",\"Length\",\"%L\",\"Info\",\"%i\""
*Nix:
tshark -o 'column.format:"No.","%Cus:frame.number:0:R","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i"'
If you want to display the mac addresses, you can modify that to use one or more of the following, giving any name you want for the format:
Format Description
%hd Hardware dest addr
%hs Hardware src addr
%rhd Hw dest addr (resolved)
%uhd Hw dest addr (unresolved)
%rhs Hw src addr (resolved)
%uhs Hw src addr (unresolved)
For example:
`tshark -o 'column.format:"No.","%Cus:frame.number:0:R","Time","%t","HwSrc","%hs","HwDst","%hd"'`
If you're using a version of Wireshark post r52627, then you can run tshark -G column-formats to see all the available column options. If not, then you can refer to the Wireshark source code for them.
answered 24 Oct '13, 10:20
cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%
