Revision history [back]

$ tshark -r ./nfl.pcapng  -T fields -e _ws.col.Time -e ip.src -e ip.dst -e _ws.col.Info -Eheader=y -c 3 -t ad

ad
 
_ws.col.Time    ip.src  ip.dst  _ws.col.Info
2018-10-11 18:00:49.189070      192.168.1.70    72.21.91.29     54042 â+' 80 [ACK] Seq=1 Ack=1 Win=253 Len=1
2018-10-11 18:00:49.198412      72.21.91.29     192.168.1.70    80 â+' 54042 [ACK] Seq=1 Ack=2 Win=288 Len=0 SLE=1 SRE=2
2018-10-11 18:00:49.270602      192.168.1.70    23.62.236.26    54000 â+' 80 [ACK] Seq=1 Ack=1 Win=255 Len=1
$
 
Time formats available with -t:
 
  -t a|ad|d|dd|e|r|u|ud|?  output format of time stamps (def: r: rel. to first)
        "a"    for absolute
        "ad"   for absolute with YYYY-MM-DD date
        "adoy" for absolute with YYYY/DOY date
        "d"    for delta
        "dd"   for delta displayed
        "e"    for epoch
        "r"    for relative
        "u"    for absolute UTC
        "ud"   for absolute UTC with YYYY-MM-DD date
        "udoy" for absolute UTC with YYYY/DOY date
  
https://www.wireshark.org/docs/man-pages/tshark.html                                                                                                                                     
 
-e <field>
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected. This option can be used multiple times on the command line. At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with "_ws.col."

Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info

Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default. -E controls the format of the printed fields.