 | 1 | initial version |
If by "human-readable, plain text output file with the correct columns" you mean output like the packet summary pane in Wireshark, there is an alternative to -T, -E, and -e.
Just try running, for example, "c:\Program Files\Wireshark\tshark.exe" -r D:\capturefiles\Daily-capture-2019-11-10_00001_20191110143657.pcap.
That defaults to printing the columns you've set up in Wireshark or, if you've never edited the column list in Wireshark, the default column list. You can set the column list by passing the argument -o gui.column.format:cols, where cols is a string containing a sequence of column title/column type pairs, with commas separating the column title and the corresponding type following it, as well as separating a column type from the next column's title.
The column titles must be quoted, with double quotes, if they contain spaces; that would require that the entire argument be quoted, and that the quoted argument itself contain quotes - that can be done on UN*X command lines by using single quotes for the entire argument and double quotes for the column titles, or by using double quotes for the entire argument and escaping the double quotes around the column titles with backslashes; I'm not sure how to do that on Windows command lines.
The column types are currently documented only in the output of tshark -G column-formats. %Cus is described as just "Custom"; that's used for custom columns that use a packet field, and the syntax is %Cus:{name}:{instance}:{resolved}, where {name} is the field name, {instance} is the ordinal number of the instance to display (0-origin, so 0 is the first instance in the packet, 1 is the second instance in the packet, etc.), and {resolved}is either R if the column is "resolved" or U if it's "unresolved". The distinction between "resolved" and "unresolved" is not documented and is not clear; it doesn't seem to work in a sensible fashion for the arp.opcode field, as the "unresolved" version is blank rather than the numerical value of the opcode.
There is currently no mechanism to cause the column titles to be written out as the first line.
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
