1 | initial version |
The posted image would appear to be highlighting the TTL field of the IP header, so assuming that's the field you're interested in, you can obtain it using the following:
tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin
You can refer to the Wireshark Display Filter Reference page to find all available Wireshark display filters including the ip.ttl
field. You can also find them in other ways. Refer to the wireshark-filter man page for more information.
2 | No.2 Revision |
The posted image would appear to be highlighting the TTL field of the IP header, so assuming that's the field you're interested in, you can obtain it using the following:
tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin
You can refer to the Wireshark Display Filter Reference page to find all available Wireshark display filters including the ip.ttl
field. You can also find them in other ways. Refer to the wireshark-filter man page for more information.
EDIT: If you want all the bytes of frame number 13 to be displayed, you can call tshark
like so:
tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin
So if for whatever reason you don't like the -e ip.ttl
solution, you could isolate the 22nd byte from the hex output generated with -x
with a little piping to tools like grep
and cut
, for example:
tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin | grep "^0010" | cut -d ' ' -f 9
There may be a more elegant solution than this, but this should be a good starting point in the absence of any another suitable solution, provided of course that your platform has both grep
and cut
available.