how to use tshark to show all srcport and dstport?

asked 2020-11-11 01:01:46 +0000

d6626410 gravatar image

updated 2020-11-11 13:53:56 +0000

grahamb gravatar image

tshark -r ./ALL_010.tcp -T fields -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -E header=n -E separator=, -E quote=n -E occurrence=f >./ALL_010.csv

i want to export all srcport and dstport ,how can i fix this cmd

edit retag flag offensive close merge delete

Comments

What's wrong with it that it needs to be fixed? It has more than just the TCP source and destination ports, but that's what you told TShark to do.

Do you mean you also want UDP source and destination ports, for example?

Guy Harris gravatar imageGuy Harris ( 2020-11-11 01:55:56 +0000 )edit

i want tcpport and udp port....

d6626410 gravatar imaged6626410 ( 2020-11-11 02:15:15 +0000 )edit

You could add columns for Src port (unresolved) and Dest port (unresolved) to the profile (looks like Default profile is used - no "-C" option).

Then reference them as _ws.col fields (using column title) in tshark:

$ tshark -r ./ultpcap2.pcapng -T fields -e _ws.col.No\. -e _ws.col.Protocol -e _ws.col.srcport -e _ws.col.dstport | grep -i tcp | head -2
1       TCP     1152    80
2       TCP     80      1152

$ tshark -r ./ultpcap2.pcapng -T fields -e _ws.col.No\. -e _ws.col.Protocol -e _ws.col.srcport -e _ws.col.dstport | grep -i udp | head -2
845     UDP     64199   1967
846     UDP     64091   1967


$ tshark -r ./ultpcap2.pcapng -T fields -e _ws.col.No\. -e _ws.col.Protocol -e _ws.col.srcport -e _ws.col.dstport | grep -i dns | head -2
64      DNS     56606   53
65      DNS     53      56606
Chuckc gravatar imageChuckc ( 2020-11-11 05:05:25 +0000 )edit

Or you could override the column settings on the command line:

tshark -o gui.column.format:"SP,%uS,DP,%uD" -r {capture file} -T fields -e frame.time -e ip.src -e ip.dst -e ip.proto -e _ws.col.SP -e _ws.col.DP -E header=n -E separator=, -E quote=n -E occurrence=f

The -o gui.column.format parameter sets TShark up to have two columns - a column with the title "SP", containing the unresolved source port, and a column with the title "DP", containing the unresolved destination port. That won't change your profile, it'll just change the columns for that particular instance of TShark.

Guy Harris gravatar imageGuy Harris ( 2020-11-11 07:14:02 +0000 )edit

If you just want source and destination ports, why not use the statistics feature?

tshark -r $file -nq -z endpoints,tcp -z endpoints,udp

or

tshark -r $file -nq -z conv,tcp -z conv,udp
André gravatar imageAndré ( 2020-11-12 19:50:16 +0000 )edit

@Chuckc, I added "-e _ws.col.srcport -e _ws.col.dstport" into command, but it doesn't work. here is my full command

    tshark -r b.pcapng \
 -R "not icmp" \
 -2 -t ad \
 -T fields -e _ws.col.Protocol -e _ws.col.Time \
 -e ip.src -e ip.dst -e frame.len \
 -e _ws.col.srcport -e _ws.col.dstport -e data.data \
 -e _ws.col.Info \
 -E header=y -E separator=, > a.csv

and it returns:

    _ws.col.Protocol,_ws.col.Time,ip.src,ip.dst,frame.len,_ws.col.srcport,_ws.col.dstport,data.data,_ws.col.Info
    HTTP,2022-10-10 03:58:10.302536,125.39.103.229,192.168.5.123,4290,,,6ac4e9....,HTTP/1.1 200 OK [Packet size limited during capture]
......

srcport and dstport columns are empty.

Sonic gravatar imageSonic ( 2022-10-10 04:18:07 +0000 )edit
see more comments