 | 1 | initial version |
For a couple of fields, especially fields with only one occurrence per packet, the easiest way is to use tshark -T fields -e <field1> -e <field2> .... If you need the full dissection tree for the relationship between fields, the PDML output (-T pdml) or the JSON output (-T json) might be better options. Have a look at tshark -h or the manpage for all kinds of output options.
Here is an example of the -T fields output:
$ tshark -r icmp-vlan-test.pcapng -T fields -e vlan.id -e ip.src -e ip.dst
1667 91.132.51.132 198.51.100.10
1667 198.51.100.10 91.132.51.132
1667 103.30.42.149 198.51.100.10
1667 198.51.100.10 103.30.42.149
1667 103.56.114.166 198.51.100.10
1667 198.51.100.10 103.56.114.166
97 10.0.0.101 198.51.100.10
1667 10.0.0.101 198.51.100.10
1667 198.51.100.10 10.0.0.101
97 198.51.100.10 10.0.0.101
97 10.0.0.101 198.51.100.10
1667 10.0.0.101 198.51.100.10
1667 198.51.100.10 10.0.0.101
97 198.51.100.10 10.0.0.101
$