seprate packet lines in tshark

First time here? Check out the FAQ!

asked Mar 26 '18

This post is a wiki. Anyone with karma >750 is welcome to improve it.

hi. i want to separate the line of each packet in tshark. for example

frame.number ip.src ip.dst

1 192.111.111.111 222.222.222.222

++++++++++++++++++++++++++++++

2 192.111.111.111 222.222.222.222

++++++++++++++++++++++++++++++

3 192.111.111.111 222.222.222.222

++++++++++++++++++++++++++++++

i use this command but not work.

tshark -r test.pcap -T fields -e frame.number -e ip.src -e ip.dst -S + -V >test.txt

1 Answer

Sort by » oldest newest most voted

Guy Harris
19905 ●3 ●667 ●207

Tshark has no mechanism to do that.

If you're on a UN*X, so that you have the sed command available, you could try

tshark -r test.pcap -T fields -e frame.number -e ip.src -e ip.dst | sed "a\\
++++++++++++++++++++++++++++++
" >test.txt

Note that the command really is on 3 separate lines. The newline after the a\ command is required, as is the newline after the sequence of +'s.

Please start posting anonymously - your entry will be published after you log in or create a new account.

1 follower

Asked: Mar 26 '18

Seen: 228 times

Last updated: Mar 26 '18