seprate packet lines in tshark

asked 2018-03-26 19:33:16 +0000

This post is a wiki. Anyone with karma >750 is welcome to improve it.

hi. i want to separate the line of each packet in tshark. for example

frame.number ip.src ip.dst

1 192.111.111.111 222.222.222.222

++++++++++++++++++++++++++++++

2 192.111.111.111 222.222.222.222

++++++++++++++++++++++++++++++

3 192.111.111.111 222.222.222.222

++++++++++++++++++++++++++++++

i use this command but not work.

tshark -r test.pcap -T fields -e frame.number -e ip.src -e ip.dst -S + -V >test.txt

1 Answer

Sort by » oldest newest most voted

Guy Harris
19890 ●3 ●659 ●207

Tshark has no mechanism to do that.

If you're on a UN*X, so that you have the sed command available, you could try

tshark -r test.pcap -T fields -e frame.number -e ip.src -e ip.dst | sed "a\\
++++++++++++++++++++++++++++++
" >test.txt

Note that the command really is on 3 separate lines. The newline after the a\ command is required, as is the newline after the sequence of +'s.

Please start posting anonymously - your entry will be published after you log in or create a new account.

1 follower

Asked: 2018-03-26 19:33:16 +0000

Seen: 212 times

Last updated: Mar 26 '18