Looking on how to extract the Information column that is displayed in wireshark from a completed capture using Tshark and dumping it into a text file. I know it can be done with Wireshark manually but I need to do it from command-line so it can be used in a script. I am familiar with some commands of Tshark but can't figure the correct switch to get the "Information Column". Use case: After outputting the information column to a text file will use Powershell to extract any names of executables which have an executbale extension and have been downloaded i.e. .bat, .com, .scr, .exe, etc. This will be for a work network, obvious there should be many .exe's for various softwares updating periodically but any of the others will hopefully alert us to nefarious activities. asked 26 Dec '14, 21:32  zer0day |
2 Answers:
Funny, it always seems to happen, soon as I ask a question I then find my answer excuse my process. The command below does what I was looking for. answered 26 Dec '14, 22:05 zer0day |
If you are using windows, pls try tshark -T fields _ws.col.Info _ws.col I think that mean wireshark column and .Info must be samed with colume name answered 29 Jan '15, 06:39  Hu Paul |
Was helpful, thanks for sharing
@Hu Paul Thanks a lot for sharing this (y)