This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering Using TShark to generate an Output

0

I stumbled across this link and found it potentially advantageous if I can learn how to use it:

How to Export Packet Summary to Text File

My problem is that the filter here does not work.
This is what I put into cmd:
"C:\Program Files\Wireshark\tshark.exe" -r "C:\temp\filename.pcap" -Y "ip" -o "gui.column.format:\"Info\",\"%i\"" > "C:\temp\filename.txt"

Instead of getting filtered results, I get an empty file.

I am simply trying to grab the lines that are ip only, just as I would if I were in Wireshark filtering "ip" of an existing pcap file.

asked 23 Nov '15, 09:08

Midimistro's gravatar image

Midimistro
116610
accept rate: 50%

2 Answers:

0

I finally figured it out. There was nothing wrong with my file except a missing preference setting. It was apparently the preferences for Wireshark that needed to be set in order for it to properly filter the type of .pcap files I am using.

What I had to add was this (separate from the other -o):

-o "uat:user_dlts:\"User 8 (DLT=155)\",\"pxt\",\"0\",\"\",\"0\",\"\""

This is because I was bringing the .pcaps from a different application (Agilent) that used different analysis tools. Thus the examples above wouldn't find anything anyway since tshark wouldn't know how to parse anything except the time and packet number under those conditions (aka if it didn't have the above preference).

Thanks for the help anyway!

answered 23 Nov '15, 13:07

Midimistro's gravatar image

Midimistro
116610
accept rate: 50%

edited 23 Nov '15, 13:08

0

I am simply trying to grab the lines that are ip only, just as I would if I were in Wireshark filtering "ip" of an existing pcap file.

Then please try this:

tshark -nr input.pcap -Y "ip" > c:\temp\output.txt

There is no need to redefine the column formar, unless you are looking for something very special.

If you want to write a new pcap file, please try this

tshark -nr input.pcap -Y "IP" -w output.pcap

BTW: the correct format for gui.column.format would be:

tshark -nr input.pcap -Y "ip" -o "gui.column.format:\"Info\", \"%i\""

Regards
Kurt

answered 23 Nov '15, 09:31

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 23 Nov '15, 10:30

First, I am trying to grab only the info column of each line that is ip only. Second, the pcap file is a file that already exists (captured by a different program and converted to pcap), not as a live capture, like you showed here. Third, the output file desired is a .txt file.

"C:\Program Files\Wireshark\tshark.exe" -r "C:\temp\filename.pcap" -o "gui.column.format:\"Info\",\"%i\"" > "C:\temp\filename.txt" works, BUT it prints out every line, which is not what I want.

Lastly, I would think {-Y "ip"} or {-2 -r <filename.pcap> -R "ip"} would work, but as I said before, both of them turn out blanks. If I try -O on the other hand, it generates a file even bigger than the pcap and that is not open-able.

Any ideas?

(23 Nov '15, 10:19) Midimistro

not as a live capture, like you showed here.

-ni was just a typo. I corrected it to -nr

BUT it prints out every line, which is not what I want.

O.K. can you please post an example of what you want?

Lastly, I would think {-Y "ip"} or {-2 -r <filename.pcap> -R "ip"} would work, but as I said before, both of them turn out blanks.

It works on my system, so I assume it will work on yours as well.

Please run the following command. It should show at least some output if there is IP traffic in the pcap file.

tshark -nr input.pcap -Y "ip"

Regards Kurt

(23 Nov '15, 10:32) Kurt Knochner ♦