This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Two addresses for ICMP frames

0

I am analyzing a pcap file and extracting data using tshark, but whenever I encounter an ICMP frame, the corresponding data being extracted by tshark is duplicated.

For the following frame in wireshark,

"ICMP","68.232.181.238","152.81.230.67"

I get

src ip dst ip protocol 68.232.181.238,152.81.230.67 152.81.230.67,68.232.181.238 ICMP

the above output from tshark.

I just need one value each for source and destination ip addresses. I would greatly appreciate it if someone can let me know if there is a different way to extract src and dst ip addresses from pcap. Currently I am using -e ip.src and -e ip.dst to get the ip addresses.

asked 23 Mar '15, 03:21

nnmanobala's gravatar image

nnmanobala
6113
accept rate: 0%

edited 23 Mar '15, 03:22


One Answer:

0

You can use -E occurrence=f to print the IP addresses of the packet (and skip the IP header of the original packet that caused the icmp message, which is included as icmp payload)

From tshark -h:

  -E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator
     quote=d|s|n           select double, single, no quotes for values

answered 23 Mar '15, 06:26

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Your solution works perfectly for my requirement. Thank you very much.

(23 Mar '15, 06:35) nnmanobala