Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

The posted image would appear to be highlighting the TTL field of the IP header, so assuming that's the field you're interested in, you can obtain it using the following:

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin

You can refer to the Wireshark Display Filter Reference page to find all available Wireshark display filters including the ip.ttl field. You can also find them in other ways. Refer to the wireshark-filter man page for more information.

The posted image would appear to be highlighting the TTL field of the IP header, so assuming that's the field you're interested in, you can obtain it using the following:

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin

You can refer to the Wireshark Display Filter Reference page to find all available Wireshark display filters including the ip.ttl field. You can also find them in other ways. Refer to the wireshark-filter man page for more information.

EDIT: If you want all the bytes of frame number 13 to be displayed, you can call tshark like so:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin

So if for whatever reason you don't like the -e ip.ttl solution, you could isolate the 22nd byte from the hex output generated with -x with a little piping to tools like grep and cut, for example:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin | grep "^0010" | cut -d ' ' -f 9

There may be a more elegant solution than this, but this should be a good starting point in the absence of any another suitable solution, provided of course that your platform has both grep and cut available.