Tshark export object with IPs
While exporting objects with Tshark there is the possibility to ask for the IPs involved?
I need to recover the information about IP sender and IP receiver of the file
There is a pcap attached to this Bugzilla for testing.
Tshark extract: 2030180 Apr 16 16:12 002804-1-Secondary-Capture-Image-Storage.dcm
Wireshark extract: 2029854 Apr 16 16:14 002804-1-1.2.276.0.7230010.3.1.4.341615093.12584.1428680298.845.dcm
The start of each filename contains the last packet/frame number (2804) of the object:
filename = wmem_strdup_printf(wmem_packet_scope(), "%06d-%d-%s.dcm", pinfo->num, cnt_same_pkt,
g_strcanon(pdv_curr->sop_instance_uid, G_CSET_A_2_Z G_CSET_a_2_z G_CSET_DIGITS "-.", '-'));
$ tshark -r ./test.cap -Y "frame.number==2804" -T fields -e ip.src -e ip.dst
165.226.145.190 165.226.144.126
There is no general mechanism to add that to the file contents, as not all file types support adding, for example, comments.
We could add an option to "Export Objects" to add the IP endpoints, either resolved (as host names if possible) or as addresses, to the file names.
This should be filed as an enhancement request on the Wireshark Bugzilla.
Asked: 2020-04-16 11:39:42 +0000
Seen: 448 times
Last updated: Apr 17 '20
What objects are you exporting? Also tshark version?
I'm exporting dicom objects. Tshark version is 3.2.2