How to combine two filter in tshark

asked 2020-04-14 15:15:50 +0000

I want to combine two filter in a tshark command to extract the type of the TLS record so I tried this command but iy dosen't work. tshark -r capture.pcapng -T fields -e "tls.record.content_type && tls.record.opaque_type" -E separator="|"

Any help please?

answered 2020-04-14 15:21:20 +0000

-e is not a filter, that's an output field selector. To filter (using display filter syntax use -Y, e.g.

tshark -r capture.pcapng -Y "tls.record.content_type && tls.record.opaque_type" -T fields -e "tls.record.content_type -e tls.record.opaque_type" -E separator="|"

Note that this display filter will only select records that have both fields present.

Is it possible to select tls.record.content_type and tls.record.opaque_type if they were both present or just one and put them always in the same field. I want my final output to be like this (I want to select other fields like record length ...) tls.record.content_type and/or tls.record.opaque_type | tls.record.length | tls.record.version Is it possible?

Nope. Each field must be specified separately and will have your choice of separator delimiting them. Combining fields is left to post processing using whatever tools you have to hand.

Wireshark (or tshark) does not support calculated fields directly, but this could be done by writing a post-dissector, probably in Lua.

Could you explain more please Lua

Lua is a scripting language built-in to Wireshark that can be used for a range of things such as dissectors, post-dissectors, taps and UI elements.

For your particular case a post-dissector would be created that would combine the 2 fields into a new field that can be selected by -e.

If you have any further questions about Lua, please open a new question.

