Hello,
I use this command to filter some field from my pcap file and store them in a csv file:
tshark -r capturebase.pcap -T fields -e ip.src -e ip.dst -e frame.number -e modbus.func_code -e modbus.byte_cnt
I want to know how can add filter field names in the csv file please
From the tshark man page (also in the help output by -h):
-E <field print="" option=""> Set an option controlling the printing of fields when -T fields is selected.
Options are:
bom=y|n If y, prepend output with the UTF-8 byte order mark (hexadecimal ef, bb, bf). Defaults to n.
header=y|n If y, print a list of the field names given using -e as the first line of the output; the field name will be separated using the same character as the field values. Defaults to n.
separator=/t|/s|<character> Set the separator character to use for fields. If /t tab will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.
occurrence=f|l|a Select which occurrence to use for fields that have multiple occurrences. If f the first occurrence will be used, if l the last occurrence will be used and if a all occurrences will be used (this is the default).
aggregator=,|/s|<character> Set the aggregator character to use for fields that have multiple occurrences. If , a comma will be used (this is the default), if /s, a single space will be used. Otherwise any character that can be accepted by the command line as part of the option may be used.
quote=d|s|n Set the quote character to use to surround fields. d uses double-quotes, s single-quotes, n no quotes (the default).
So add -E header=y to your command line.
Asked: 2019-09-07 22:10:48 +0000
Seen: 742 times
Last updated: Sep 08 '19
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
