Two addresses for ICMP frames


I am analyzing a pcap file and extracting data using tshark, but whenever I encounter an ICMP frame, the corresponding data being extracted by tshark is duplicated.

For the following frame in wireshark,


I get

src ip dst ip protocol,, ICMP

the above output from tshark.

I just need one value each for source and destination ip addresses. I would greatly appreciate it if someone can let me know if there is a different way to extract src and dst ip addresses from pcap. Currently I am using -e ip.src and -e ip.dst to get the ip addresses.

One Answer:


You can use -E occurrence=f to print the IP addresses of the packet (and skip the IP header of the original packet that caused the icmp message, which is included as icmp payload)

From tshark -h:

  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
     quote=d|s|n           select double, single, no quotes for values

Your solution works perfectly for my requirement. Thank you very much.

