This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I just add one extra field while using tshark

0

Hi all.

I would like to just add one extra field in tshark's output

here is the command I execute

sudo tshark -p -t e -i mon0

below is the output

1449064211.939089 SmcNetwo_a7:11:a8 -> Broadcast 802.11 127 Beacon frame, SN=3671, FN=0, Flags=........, BI=100, SSID=TPE-Free

how can I just add one extra field ?

if I specify a field. the output will only show one field and forget the original output

thanks in advanced !

asked 02 Dec '15, 07:05

Tim%20Hsu's gravatar image

Tim Hsu
6113
accept rate: 0%

One Answer:

0

Presumably you're selecting the field to display with -T fields -e field? If so, you can add as many fields as you want with extra -e field2 -e field3 ... -e fieldN parameters.

answered 02 Dec '15, 07:19

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

thanks for your answer. but how can I know these default field name?

(02 Dec '15, 07:21) Tim Hsu

open the capture in wireshark, select a typical packet, go to the packet pane and expand all levels of detail which are interesting for you. Next, select the individual packet fields which interest you, one by one, and for each of them use right-click and choose "prepare a filter -> ...and selected" from the context menu. This way, a string of field1 == value1 && field2 == value2 && ... builds up in the "display filter" field.

Now copy that string and edit it, keeping the field names and replacing the ==, &&, () and values with -e .

(02 Dec '15, 07:32) sindy