tshark -T ek: export certain fields including frame_raw doesnt work
Hey folks, I've spent quite a lot of time braining this out, but I can't seem to figure out how to solve the Problem.
I need certain fields like
eth.dst
eth.dst_resolved
but ( for example) not
eth.src
eth.src_resolved
plus I need the frame_raw (-x flag), but when I use this command it does not work:
tshark -T ek -e eth.dst -e eth.dst_resolved -e... -e... -x -r ../caps/trace_00049_20191116001454.pcap
The output does not contain the frame_raw / -x.
When I use the -J option (to export as json), I use this command:
tshark -T ek -J "ip" -x -r ...
I cannot figure out how to convert my filters from "wireshark" terminology to the required terminology for json.
-J "ip" gives me everything in layers.ip, and I cannot narrow it down. Any ideas?
It would be nice if there was a
frame.dataorframe.payloadfield to include but I haven't found a field that would give all the packet bytes.The man page seems to say that hex is only available for the summary or details so when individual fields are picked with "-e" that doesn't apply.
Are you open to making two passes through, joining the data on timestamp and massaging into a form you can use?
$ tshark -r ./nfl_short.pcapng -T ek -e eth.dst -e eth.dst_resolved -c 1 {"index":{"_index":"packets-2018-10-11","_type":"pcap_file"}} {"timestamp":"1539298849189","layers":{"eth_dst":["dc:7f:a4:2c:0b:15"],"eth_dst_resolved":["2Wire_2c:0b:15"]}} $ tshark -r ./nfl_short ...(more)I took the fields/field names from these docs, they are great, but they don't show the json filters, which is bad.
https://www.wireshark.org/docs/dfref/...
Now, I am kinda bound to speed, I am capturing with a remote interface on windows, storing the ringbuffer files to a share and import them to kibana on linux. Currently I am trying two ways to get only what I want:
wireshark fields filter, and a python script th build a new json object from the loaded json object, but both don't work 100%.
With two passes, you mean storing the fields in one file, and then running tshark -r file -T ek -x to store the raw data in another file, to later merge them?
I am afraid this adds too much complexity to the scripts (when merging) and runs longer.
I wish there was a way to ...(more)
https://ask.wireshark.org/question/11...
If you don't need the whole frame its possible to turn off dissection for the upper layers and grab
data.data.$ tshark -r ./nfl.pcapng -T fields -e frame.protocols | sort | uniq -c 1288 eth:ethertype:ip:tcp 113 eth:ethertype:ip:tcp:data 257 eth:ethertype:ip:tcp:http 2493 eth:ethertype:ip:tcp:http:data 1 eth:ethertype:ip:tcp:http:data:data:data-text-lines 41 eth:ethertype:ip:tcp:http:data-text-lines 14 eth:ethertype:ip:tcp:http:image-gif 8 eth:ethertype:ip:tcp:http:image-jfif 3 eth:ethertype:ip:tcp:http:json 22 eth:ethertype:ip:tcp:http:media 2 eth:ethertype:ip:tcp:http:ocsp 2 eth:ethertype:ip:tcp:http:ocsp:ocsp 30 eth:ethertype:ip:tcp:http:png 26 eth:ethertype:ip:tcp:http:xml 7 eth:ethertype:ip:tcp:tls 61 eth:ethertype:ip:udp:dns(more)