Ask Your Question
0

How to display only packet, packet size, and timestamp?

asked 2020-10-10 23:16:29 +0000

Trick0904 gravatar image

I'm new to Wireshark and unix systems in general, but I'm currently trying to figure out on using tshark to use on Ubuntu. Is it possible to display only specific output from tshark like packet number, size, and time?

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2020-10-11 00:51:32 +0000

Chuckc gravatar image

updated 2020-10-11 08:57:13 +0000

grahamb gravatar image

If you have access to the Wireshark Gui, it will be easier to learn the fields you want to display.
The tshark man page will help with options.

Example: tshark -T fields -e frame.number -e ip.addr -e udp -e _ws.col.Info



$ tshark -r  ./quic-faceb002.pcap -T fields -e frame.number -e frame.len -e frame.time -E header=yes
frame.number    frame.len       frame.time
1       1274    Oct  2, 2020 02:19:21.477557000 Central Daylight Time
2       1294    Oct  2, 2020 02:19:21.500335000 Central Daylight Time
3       1294    Oct  2, 2020 02:19:21.501561000 Central Daylight Time

@SYN-bit (Sake Blok) is the tshark master.
Here is his presentation from Sharkfest 2019:
04: Solving (SharkFest) packet capture challenges with only tshark by Sake Blok

edit flag offensive delete link more

Comments

Thank you very much. This is what I've been trying to do for a while experimenting with tshark and wireshark for quite a while now. I had been looking at the man pages but haven't been successful with outputting the relevant data using the correct options.

Trick0904 gravatar imageTrick0904 ( 2020-10-11 01:33:53 +0000 )edit

Thanks for the kind words @Chuckc

tshark -G fields will give you an overview of the (thousands) of available fields. You could use awk to limit the output to just one protocol (or fieldname pattern) like this:

tshark -G fields | awk '$3 ~ "^ip\\." {print}'
SYN-bit gravatar imageSYN-bit ( 2020-10-11 09:57:02 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2020-10-10 23:16:29 +0000

Seen: 1,035 times

Last updated: Oct 11 '20

Related questions

Diameter 'Answer In'/'Request In' fields not available with tshark/pyshark

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?

How do I change the interface on Tshark?

Tshark TCP stream assembly

Tshark output file problem, saving to csv or txt

Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
about | faq | help | privacy policy | terms of service
Powered by Askbot version 0.10.2