This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

select packet bytes as per packet details tshark

0

Hi,

I want to select/highlight the packets bytes as per the selection in the packet details using tshark commands

Screen shot attached.

Thanks,

Sample Selection

asked 01 Dec '14, 23:58

erarijit's gravatar image

erarijit
21459
accept rate: 0%


One Answer:

-1

If you'd shown a little bit more of the image you would have seen the answer. At the bottom left of the wireshark UI is a status bar that shows the description and name of the field that is currently highlighted in the packet details pane. In your case it is the "Target MAC address" and the field name is "arp.dst.hw_mac".

Using this field name and the tshark options -T fields and -e field.name we get:

tshark -r your_capture.pcapng -T fields -e arp.dsthw_mac

tshark supports multiple -e field.name parameters so you can display all the fields you require, other fields names can be determined by highlighting them in the packet details and looking at their name in the status bar.

answered 02 Dec '14, 01:27

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

hi thanks for your response, but i do not want to load a file im running the command tshark.exe "-i 1 -P -V -S \"End of Packet\" -x -E separator=/t";

which gives me all the packet list, packet bytes and packet details in same format as wireshark does.

But I need to highlight the bytes for each selection dynamically like wireshark does.

(02 Dec '14, 01:47) erarijit

Your question is unclear. What do you mean by highlight and selection? Print out in inverse video or annotate that line of output in someway? If so, then tshark can't do that as it a) doesn't do any annotation of particular output lines and b) it has no concept of "selecting" particular output lines apart from selecting particular fields by the -e parameter.

Can you maybe grab some current tshark output and edit it and post that to make it clearer what you want to achieve.

(03 Dec '14, 02:35) grahamb ♦

thanks for the reply, If you have used wireshark then you must have seen that for every Packet Detail and Packet Byte Info is highlighted in Blue. I've written similar UI using tshark commands, but the correlation between the packet byte and packet details is what I want.

(03 Dec '14, 21:15) erarijit

That can't be done (currently) with tshark.

(04 Dec '14, 03:07) grahamb ♦

Then how wireshark is doing that, I'm sure wireshark is using tshark in the background isn't it?

(08 Dec '14, 22:30) erarijit

, I'm sure wireshark is using tshark in the background isn't it?

No, both use the capture library libwireshark to dissect packet data.

Then how wireshark is doing that

It's done in the packet byte widget for the GUI.

(09 Dec '14, 00:42) Anders ♦

Thanks for the response Anders, can I find the packet byte widget, if you can throw some light on the same.

(09 Dec '14, 01:35) erarijit

but the correlation between the packet byte and packet details is what I want.

That "correlation" is the value of the dissected fields, so the correct answer is what @grahamb already posted in his answer:

tshark -r your_capture.pcapng -T fields -e arp.dsthw_mac

If that is not what you need, please add (much) more details to your request and/or add an example of what you see in the GUI and what you would like to see in the tshark output.

Your ARP example is quite unclear, as I don't know if you are after the "Target MAC address" as that's the marked field or after the six bytes at position 0x20, regardless if that's the "ARP Target MAC address" or not.

If it's the "Target MAC address", the answer of @grahamb is correct and you should accept his answer, unless you have good reasons for not doing that.

If it's the bytes at position 0x20, Wireshark/tshark is probably the wrong tool for you. To answer that question, please tell us why you need that information, if the position is always the same (0x20) and in which format you need the data.

Regards
Kurt

(09 Dec '14, 02:24) Kurt Knochner ♦

Hi Kurt,

I'm looking to create exactly the same UI as wireshark, where when user clicks on any packet, its packet details are being displayed, and when packet details are selected then the packet bytes are highlighted accordingly.

It has to be a dynamic process are I'm not using any pcap dump files for the same.

Like When user clicks Taget Mac Address 0x20 is highlighted, similarly when user will clicks Target IP Address then it's corresponding bytes will be selected.

(09 Dec '14, 03:41) erarijit

That's just not possible.

In Wireshark you can only select the packet and field of interest after it's been captured. As the GUI retains the packet info, this allows you to "travel back in time" to select an already captured packet and dissect it again.

tshark doesn't work like that, once the packet has been captured and dissected and written to the output, it's effectively done with that packet. There is no mechanism to go back and say I want field x of packet y.

So with tshark, you can (ahead of time) specify parameters on the command line for which fields you wish to display as I demonstrated, but they won't show the packet bytes with a highlight

(09 Dec '14, 03:58) grahamb ♦
showing 5 of 10 show 5 more comments