Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2024-02-14 15:25:47 +0000

Chuckc gravatar image

Using a profile with all protocols disabled except eth:

$ tshark -r ./bvlc.pcap -T fields -e frame.number -e eth.addr -e eth.type -e data -C NO_PROTOCOLS -Y frame.number==304 | sed -e "s/\t//2" -e "s/\t//2" -e "s/0x//" -e "s/[:,]//g"
304     ffffffffffffd8f2cade04e00800450005a860b54000011100dac0a8c865c0a8c8ff037903790594f85bc97359818c0504008ace013462cd275dbce0260000891a06bae98bdc0bc1d2e6c0a8c80106000000200d000070110000c00c000050000100800d0000200d0000007e00006018000045e40000c45f000070410000204300007041000030380100c0420000c042000040c1010050b4010058fa0000199b0100200d0000800d0000200d000070e60000600f0000600f0000a029000060210000dcc6000054210000800a0000e00a0000800a0000501b0100800a0000800a0000e05e0000e02b00006eef0000324a0000900000009000000090000000b0150100b0010000b00100000030000010020000

--snip--

sed:
-e "s/\t//2" - delete 2nd tab (between eth.addr and eth.type)
-e "s/\t//2" - delete "new" 2nd tab (between eth.type and data)
-e "s/0x//" - delete the 0x format on eth.type
-e "s/[:,]//g" - clean up eth.addr

If your capture not using a eth header, then adjust as needed.
If packets can contain multiple eth sections then apply more sed.

Using a profile with all protocols disabled except eth:

$ tshark -r ./bvlc.pcap -T fields -e frame.number -e eth.addr -e eth.type -e data -C NO_PROTOCOLS -Y frame.number==304 | sed -e "s/\t//2" -e "s/\t//2" -e "s/0x//" -e "s/[:,]//g"
304     ffffffffffffd8f2cade04e00800450005a860b54000011100dac0a8c865c0a8c8ff037903790594f85bc97359818c0504008ace013462cd275dbce0260000891a06bae98bdc0bc1d2e6c0a8c80106000000200d000070110000c00c000050000100800d0000200d0000007e00006018000045e40000c45f000070410000204300007041000030380100c0420000c042000040c1010050b4010058fa0000199b0100200d0000800d0000200d000070e60000600f0000600f0000a029000060210000dcc6000054210000800a0000e00a0000800a0000501b0100800a0000800a0000e05e0000e02b00006eef0000324a0000900000009000000090000000b0150100b0010000b00100000030000010020000

--snip--

sed:
-e "s/\t//2" - delete 2nd tab (between eth.addr and eth.type)
-e "s/\t//2" - delete "new" 2nd tab (between eth.type and data)
-e "s/0x//" - delete the 0x format on eth.type
-e "s/[:,]//g" - clean up eth.addr

If your capture not using a eth header, then adjust as needed.
If packets can contain multiple eth sections then apply more sed..

(it would be easier if frame protocol called data when all other disabled)