 | 1 | initial version |
(Presumably you mean "ip.src" and "ip.dst", not "tcp.src" and "tcp.dst".)
To quote the tshark man page's description of the -T flag:
−T ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
Set the format of the output when viewing decoded packet data. The
options are one of:
...
fields The values of fields specified with the −e option, in a form
specified by the −E option. For example,
tshark −T fields −E separator=, −E quote=d
would generate comma‐separated values (CSV) output suitable for
importing into your favorite spreadsheet program.
so you want -T fields.
To quote its description of the -e flag:
−e <field>
Add a field to the list of fields to display if −T
ek|fields|json|pdml is selected. This option can be used multiple
times on the command line. At least one field must be provided if
the −T fields option is selected. Column names may be used prefixed
with "_ws.col."
Example: tshark −e frame.number −e ip.addr −e udp −e _ws.col.Info
Giving a protocol rather than a single field will print multiple
items of data about the protocol as a single field. Fields are
separated by tab characters by default. −E controls the format of
the printed fields.
so you'll want -e ip.src and -e ip.dst.
And to quote its description of the -E flag:
−E <field print option>
Set an option controlling the printing of fields when −T fields is
selected.
Options are:
...
occurrence=f|l|a Select which occurrence to use for fields that
have multiple occurrences. If f the first occurrence will be used,
if l the last occurrence will be used and if a all occurrences will
be used (this is the default).
...
The second occurrence of the ip.src and ip.dst fields is the last occurrence, so you want the last occurrence - -E occurrence=l. (Lower-case "l", not the digit "1".)
So you'd want
tshark -T fields -E occurrence=l -e ip.src -e ip.dst