This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is there something like -e “ip.src or ipv6.src”

0

Hi all,

I want to use tshark -T and -e to extract data from PCAP file. Some of the data are ipv4 data, some are ipv6 data.

I'm using this line now:

tshark -r test.pcap -T fields -e frame.number -e eth.src -e eth.dst -e ip.src -e ipv6.src -e ip.dst -e ipv6.dst -e frame.len -E header=y -E separator=, > test1.csv

then there would be empty fields in test1.csv, since the ipv4 data won't have ipv6.src and ipv6.dst.

Is there a way to select ip.src or ipv6.src, like -e "ip.src or ipv6.src"

asked 30 Oct '16, 14:14

zpymyyn's gravatar image

zpymyyn
6113
accept rate: 0%


One Answer:

2

Nothing like -e "field_1 or field_2" exists for a generic case, but in your particular one, -e _ws.col.Source should output either ip.src or ipv6.src, depending on their presence in the frame. I have no clue which one is output if both are present in the same frame, though.

answered 30 Oct '16, 14:39

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

Hi sindy, thanks a lot!

(30 Oct '16, 15:01) zpymyyn

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(31 Oct '16, 02:43) Jaap ♦

But beware of bug 13020.

(31 Oct '16, 02:44) Jaap ♦