Hi, I want to select/highlight the packets bytes as per the selection in the packet details using tshark commands Screen shot attached. Thanks, asked 01 Dec '14, 23:58 erarijit |
One Answer:
If you'd shown a little bit more of the image you would have seen the answer. At the bottom left of the wireshark UI is a status bar that shows the description and name of the field that is currently highlighted in the packet details pane. In your case it is the "Target MAC address" and the field name is "arp.dst.hw_mac". Using this field name and the tshark options
tshark supports multiple answered 02 Dec '14, 01:27 grahamb ♦ showing 5 of 10 show 5 more comments |
hi thanks for your response, but i do not want to load a file im running the command
tshark.exe "-i 1 -P -V -S \"End of Packet\" -x -E separator=/t";
which gives me all the packet list, packet bytes and packet details in same format as wireshark does.
But I need to highlight the bytes for each selection dynamically like wireshark does.
Your question is unclear. What do you mean by highlight and selection? Print out in inverse video or annotate that line of output in someway? If so, then tshark can't do that as it a) doesn't do any annotation of particular output lines and b) it has no concept of "selecting" particular output lines apart from selecting particular fields by the
-e
parameter.Can you maybe grab some current tshark output and edit it and post that to make it clearer what you want to achieve.
thanks for the reply, If you have used wireshark then you must have seen that for every Packet Detail and Packet Byte Info is highlighted in Blue. I've written similar UI using tshark commands, but the correlation between the packet byte and packet details is what I want.
That can't be done (currently) with tshark.
Then how wireshark is doing that, I'm sure wireshark is using tshark in the background isn't it?
No, both use the capture library libwireshark to dissect packet data.
It's done in the packet byte widget for the GUI.
Thanks for the response Anders, can I find the packet byte widget, if you can throw some light on the same.
That "correlation" is the value of the dissected fields, so the correct answer is what @grahamb already posted in his answer:
If that is not what you need, please add (much) more details to your request and/or add an example of what you see in the GUI and what you would like to see in the tshark output.
Your ARP example is quite unclear, as I don't know if you are after the "Target MAC address" as that's the marked field or after the six bytes at position 0x20, regardless if that's the "ARP Target MAC address" or not.
If it's the "Target MAC address", the answer of @grahamb is correct and you should accept his answer, unless you have good reasons for not doing that.
If it's the bytes at position 0x20, Wireshark/tshark is probably the wrong tool for you. To answer that question, please tell us why you need that information, if the position is always the same (0x20) and in which format you need the data.
Regards
Kurt
Hi Kurt,
I'm looking to create exactly the same UI as wireshark, where when user clicks on any packet, its packet details are being displayed, and when packet details are selected then the packet bytes are highlighted accordingly.
It has to be a dynamic process are I'm not using any pcap dump files for the same.
Like When user clicks Taget Mac Address 0x20 is highlighted, similarly when user will clicks Target IP Address then it's corresponding bytes will be selected.
That's just not possible.
In Wireshark you can only select the packet and field of interest after it's been captured. As the GUI retains the packet info, this allows you to "travel back in time" to select an already captured packet and dissect it again.
tshark doesn't work like that, once the packet has been captured and dissected and written to the output, it's effectively done with that packet. There is no mechanism to go back and say I want field x of packet y.
So with tshark, you can (ahead of time) specify parameters on the command line for which fields you wish to display as I demonstrated, but they won't show the packet bytes with a highlight