I want to combine two filter in a tshark command to extract the type of the TLS record so I tried this command but iy dosen't work. tshark -r capture.pcapng -T fields -e "tls.record.content_type && tls.record.opaque_type" -E separator="|"
Any help please?
-e is not a filter, that's an output field selector. To filter (using display filter syntax use -Y, e.g.
tshark -r capture.pcapng -Y "tls.record.content_type && tls.record.opaque_type" -T fields -e "tls.record.content_type -e tls.record.opaque_type" -E separator="|"
Note that this display filter will only select records that have both fields present.
Is it possible to select tls.record.content_type and tls.record.opaque_type if they were both present or just one and put them always in the same field. I want my final output to be like this (I want to select other fields like record length ...) tls.record.content_type and/or tls.record.opaque_type | tls.record.length | tls.record.version Is it possible?
Nope. Each field must be specified separately and will have your choice of separator delimiting them. Combining fields is left to post processing using whatever tools you have to hand.
Wireshark (or tshark) does not support calculated fields directly, but this could be done by writing a post-dissector, probably in Lua.
Lua is a scripting language built-in to Wireshark that can be used for a range of things such as dissectors, post-dissectors, taps and UI elements.
For your particular case a post-dissector would be created that would combine the 2 fields into a new field that can be selected by -e.
If you have any further questions about Lua, please open a new question.
Asked: 2020-04-14 15:15:50 +0000
Seen: 1,039 times
Last updated: Apr 14 '20
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
