This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Where can I find a list of all possible fields for the Tshark -e commandline argument?

1
1

In Tshark CLI, we can use the commandline argument -T fields, and then follow it with -e argument, whose value has to be the name of the field I want to print.

But where are my options? What values can I use for -e?

Where can I find all the fields that I can choose from? How do you get to know what field you need to use?

asked 20 Aug '16, 07:31

Jesss's gravatar image

Jesss
51141720
accept rate: 0%


2 Answers:

2

The protocol fields that can be used for display filter can also be used as values to -e in tshark. So you have three possibilities how to find the ones you need:

  • in the relevant Wireshark documentation

  • by running Wireshark and using the Expression... button next to the display filter form field to open a tree with all protocols and their fields.

  • by starting to type a protocol name into the display filter and using the context completion.

On top of the actual protocol fields, you can use also column headers from packet list as arguments to -e if you put _ws.col. in front of the column name. An example would be -e _ws.col.Info

answered 20 Aug '16, 10:54

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

4

Or by using the command tshark -G fields that dumps all the registered fields

answered 20 Aug '16, 12:14

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

edited 20 Aug '16, 23:56

sindy's gravatar image

sindy
6.0k4851