I want to extract some fields from a pcap file, i have written followingcode for it tshark -r file -T fields -E separator=, -e frame.time -e wlan.sa -E occurrence=f > output.csv but it gives repetitive result,changing occurences a and l also gives same result. Why isnt this field having no effect asked 14 Aug '16, 22:55  tatsugot |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
By "repetitive result" do you mean you get more than one occurrence of the time stamp. or source address, on each line of output?
I'd guess it is a misunderstanding. The
-E occurrenceparameter controls how several occurrences of the same protocol field in a single frame are treated. Asframe.timeand normally alsowlan.saexist just once in each frame, I'd suppose that you want to see the timestamp of the first occurrence of eachwlan.saMAC address in the capture. But to do that, you'll need a script - tshark cannot do this directly.My guess is that but it gives repetitive result was meant to say, but it gives the same result.
If there's only one occurrence of a field within a packet, then the first occurrence is the same as the last occurrence is the same as all occurrences - you get the single occurrence in all 3 cases.
Sorry, It was my mistake. The file had only one field.