This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

command line usage?

0

I need to take a pcap file import it into wire shark, filter it for dicom and then export the Packet Dissections as plain text. I'm doing it manually at the moment in wireshark, but was wondering if there was a way to do this from the command line.

TIA. B.

asked 12 Jun '14, 13:09

BJOBrien's gravatar image

BJOBrien
11224
accept rate: 0%

edited 12 Jun '14, 13:10

2 Answers:

0
tshark -Y dicom -V -r {your file}

(or -R dicom in older versions).

You might have to use -o dicom.tcp.port:NNNN if the DICOM traffic is on port NNNN rather than the default port, 104.

answered 12 Jun '14, 13:30

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

I didn't find any tshark executable on my Mac

(12 Jun '14, 13:40) BJOBrien

If you installed Wireshark from a dmg downloaded from Wireshark.org, try re-installing it, and don't un-check the install option for the command-line tools. That should put a tshark command in /usr/local/bin.

If you installed Wireshark from somewhere else, check with whatever source provided Wireshark to see how to get the command-line tools installed.

(12 Jun '14, 13:52) Guy Harris ♦♦

if my dicom server is listening on port 11112 Woud filtering on dicom (within wireshark) work or does dicom filtering assume port 104?

(12 Jun '14, 14:00) BJOBrien

DICOM filtering assumes that Wireshark/TShark/whatever dissected the packet as DICOM.

DICOM dissection assumes port 104 by default; that's why I said "You might have to use -o dicom.tcp.port:NNNN if the DICOM traffic is on port NNNN rather than the default port, 104."

So, if the DICOM server is listening on port 11112, you'd need to do

tshark -o dicom.tcp.port:11112 -Y dicom -V -r {your file}

in TShark, and would need to change the DICOM preference "DICOM ports" to include port 11112 in Wireshark.

(12 Jun '14, 14:08) Guy Harris ♦♦

So if I want dicom on both port 104 and port 11112 then I specify both separated by a comma in the prefrenced?

P.S. I had different columns selected in wireshark, like Source Port and Destination Port. I assume those columns that I want to include in my text export can be specified on the tshark command line as well?

What if I don't want the TCP/IP portion of the text output but just the DICOM message?

(12 Jun '14, 14:38) BJOBrien

So if I want dicom on both port 104 and port 11112 then I specify both separated by a comma in the prefrenced?

Yes.

P.S. I had different columns selected in wireshark, like Source Port and Destination Port. I assume those columns that I want to include in my text export can be specified on the tshark command line as well?

You said "export the Packet Dissections as plain text"; I assume you meant you just wanted the information that shows up in the "packet details" pane in Wireshark. What exactly do you want the text output to contain? Summary pane (the columns)? Detail pane? Hex dump?

What if I don't want the TCP/IP portion of the text output but just the DICOM message?

You can't completely eliminate the TCP/IP portion, but -O dicom should cause the TShark output to look like the packet detail pane with eveything but DICOM closed.

(12 Jun '14, 14:47) Guy Harris ♦♦
showing 5 of 6 show 1 more comments

0

Please try this

tshark -nr input.pcap -Y 'dicom' -V

Regards
Kurt

answered 12 Jun '14, 13:30

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

O.k. @Guy Harris was 28 seconds faster ;-)

(12 Jun '14, 13:31) Kurt Knochner ♦

I didn't find any tshark executable on my Mac

See the answer to this question

http://ask.wireshark.org/questions/30819/how-to-setup-and-run-tshark-on-os-x-1092

(12 Jun '14, 13:52) Kurt Knochner ♦