Ask Your Question

tshark -T ek: export certain fields including frame_raw doesnt work

asked 2019-11-16 00:10:18 +0000

perskes gravatar image

Hey folks, I've spent quite a lot of time braining this out, but I can't seem to figure out how to solve the Problem.

I need certain fields like


but ( for example) not


plus I need the frame_raw (-x flag), but when I use this command it does not work:

tshark -T ek  -e eth.dst -e eth.dst_resolved -e... -e...  -x -r ../caps/trace_00049_20191116001454.pcap

The output does not contain the frame_raw / -x.

When I use the -J option (to export as json), I use this command:

 tshark -T ek  -J "ip" -x -r ...

I cannot figure out how to convert my filters from "wireshark" terminology to the required terminology for json.

-J "ip" gives me everything in layers.ip, and I cannot narrow it down. Any ideas?

edit retag flag offensive close merge delete


It would be nice if there was a or frame.payload field to include but I haven't found a field that would give all the packet bytes.
The man page seems to say that hex is only available for the summary or details so when individual fields are picked with "-e" that doesn't apply.
Cause TShark to print a hex and ASCII dump of the packet data after printing the summary and/or details, if either are also being displayed.

Are you open to making two passes through, joining the data on timestamp and massaging into a form you can use?

$ tshark -r ./nfl_short.pcapng -T ek -e eth.dst -e eth.dst_resolved -c 1
$ tshark -r ./nfl_short ...
Chuckc gravatar imageChuckc ( 2019-11-16 07:39:00 +0000 )edit

I took the fields/field names from these docs, they are great, but they don't show the json filters, which is bad.

Now, I am kinda bound to speed, I am capturing with a remote interface on windows, storing the ringbuffer files to a share and import them to kibana on linux. Currently I am trying two ways to get only what I want:

wireshark fields filter, and a python script th build a new json object from the loaded json object, but both don't work 100%.

With two passes, you mean storing the fields in one file, and then running tshark -r file -T ek -x to store the raw data in another file, to later merge them?

I am afraid this adds too much complexity to the scripts (when merging) and runs longer.

I wish there was a way to ...(more)

perskes gravatar imageperskes ( 2019-11-16 13:57:42 +0000 )edit
If you don't need the whole frame its possible to turn off dissection for the upper layers and grab

$ tshark -r ./nfl.pcapng -T fields -e frame.protocols | sort | uniq -c
   1288 eth:ethertype:ip:tcp
    113 eth:ethertype:ip:tcp:data
    257 eth:ethertype:ip:tcp:http
   2493 eth:ethertype:ip:tcp:http:data
      1 eth:ethertype:ip:tcp:http:data:data:data-text-lines
     41 eth:ethertype:ip:tcp:http:data-text-lines
     14 eth:ethertype:ip:tcp:http:image-gif
      8 eth:ethertype:ip:tcp:http:image-jfif
      3 eth:ethertype:ip:tcp:http:json
     22 eth:ethertype:ip:tcp:http:media
      2 eth:ethertype:ip:tcp:http:ocsp
      2 eth:ethertype:ip:tcp:http:ocsp:ocsp
     30 eth:ethertype:ip:tcp:http:png
     26 eth:ethertype:ip:tcp:http:xml
      7 eth:ethertype:ip:tcp:tls
     61 eth:ethertype:ip:udp:dns
$ tshark ...
Chuckc gravatar imageChuckc ( 2019-11-16 15:28:24 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2020-06-01 12:06:38 +0000

Here are some proposed patches to address the issue. All are adding hex support to tshark fields filter (-T ek -x -e ...):

None of these patches is accepted yet and the approach is not concluded yet. (the -k option probably most closely do what was asked here).

To use it, you need to download source code of stable wireshark release, apply the selected patch and compile wireshark.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2019-11-16 00:10:18 +0000

Seen: 1,821 times

Last updated: Jun 01 '20