This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am analyzing a pcap file and extracting data using tshark, but whenever I encounter an ICMP frame, the corresponding data being extracted by tshark is duplicated.

For the following frame in wireshark,

"ICMP","68.232.181.238","152.81.230.67"

I get

src ip dst ip protocol 68.232.181.238,152.81.230.67 152.81.230.67,68.232.181.238 ICMP

the above output from tshark.

I just need one value each for source and destination ip addresses. I would greatly appreciate it if someone can let me know if there is a different way to extract src and dst ip addresses from pcap. Currently I am using -e ip.src and -e ip.dst to get the ip addresses.

asked 23 Mar '15, 03:21

nnmanobala's gravatar image

nnmanobala
6113
accept rate: 0%

edited 23 Mar '15, 03:22


You can use -E occurrence=f to print the IP addresses of the packet (and skip the IP header of the original packet that caused the icmp message, which is included as icmp payload)

From tshark -h:

  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values
permanent link

answered 23 Mar '15, 06:26

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your solution works perfectly for my requirement. Thank you very much.

(23 Mar '15, 06:35) nnmanobala
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×74
×34
×8

question asked: 23 Mar '15, 03:21

question was seen: 1,458 times

last updated: 23 Mar '15, 06:35

p​o​w​e​r​e​d by O​S​Q​A