Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2023-07-31 14:50:14 +0000

cmaynard gravatar image

You can also try directly specifying the columns you want instead of using -T fields and -e field1 ... -e fieldN. For example:

Windows:

tshark.exe -r file.pcap -Y "tcp or udp" -o "gui.column.format:\"IP Protocol\",\"%Cus:ip.proto\",\"Source Port\",\"%S\",\"Destination Port\",\"%D\""

*Nix:

tshark -r file.pcap -Y "tcp or udp" -o 'gui.column.format:"IP Protocol","%Cus:ip.proto","Source Port","%S","Destination Port","%D"'

NOTE: You can use %rS for resolved source ports, %uS for unresolved source ports, %rD for resolved destination ports, or %uD for unresolved destination ports.

For more help with specifying columns, run tshark -G column-formats.