 | 1 | initial version |
You can use the option -c for count in combination with a read filter, options -2R, to filter out only the first hit on the filter. Thus:
tshark -r file.pcap -2R 'filter expression' -c 1 -T fields -e desired.field1 -e desired.field2
The reason is that a read filter causes the frame numbers to be renumbered. So frame number 1 contains the first hit.
Using a display filter like this -Y 'filter expression' -c 1 only works if the first packet in the capture file happens to match the filter, because the -c limits the amount of packets read from the file.
This and other tricks is shown in the tshark sessions at https://sharkfesteurope.wireshark.org/retrospective