Hi All, I am working on tshark -T option to export fields to .csv file. I successfully performed the conversion using tshark -r input.pcap -T fields -e field_name -E separator=, I have tried field name ip.src , ip.dst and frame.number. I would like to know the all field names which I can use in exporting .csv file. Thanks, asked 16 Feb '14, 21:52  Aditi edited 17 Feb '14, 02:04  grahamb ♦ |
One Answer:
There are lots of fields, use answered 17 Feb '14, 02:09 grahamb ♦ |
or check the online docs
Thanks Kurt,
As you suggested I got all the field list, upon checking them, I find lot other fields in all protocols, say IP protocol, I found ip.geoip.city and ip.src_rt. As per my knowledge, there is no filed for geoip.city or src_rt in IP protocol header. I could not understand that from where wireshark/ tshark will capture all this details if it is not at all available in packet itself....
Some fields are synthesized by Wireshark from the information in the capture and sometimes using external sources.
In the case of the two fields mentioned,
ip.geoip.cityis set via ip to geographic location lookup and the second fieldip.src_rtis set if the packet contains IP source routing options, either LSSR or SSRR, see RFC 791