This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Cannot write filtered fields from .pcap file to text file

I have a .pcap file which I got after using sniffer tool from mikrotik router. I used the command tshark -r macpack.pcap -T fields -E occurrence=f -e eth.addr > output.txt ,to filter mac addresses and store it in output.txt file. When I open output.txt in gedit it shows nothing. When I open macpack.pcap file in wireshark it shows the captured packets. What am I missing? . Also can anybody tell me field names for extracting ssid and signal strength as well

mikrotik tshark wireshark

asked 30 Jul '16, 11:22

tatsugot
16●5●5●8
accept rate: 0%

One Answer:

Open the file in GUI Wireshark, go through the packet dissection pane, and click on the individual fields you want to have in your tshark output. Each time you click on a field, you'll see its description and its short name (in parentheses) in the left bottom corner of the Wireshark window. You can also right-click the field in the packet dissection pane and choose Copy -> Field Name from the context menu to get the short name into clipboard.

As for eth.addr, such field does not exist in the wireless protocol hierarchy. You have to use wlan.addr instead (which represents any of wlan.sa, wlan.ta, wlan.da, wlan.ra).

answered 30 Jul '16, 12:27

sindy
6.0k●4●8●51
accept rate: 24%

edited 30 Jul '16, 12:39