Ask Your Question
0

Extract Information from Wireshark

asked 2022-06-01 20:27:13 +0000

Ke gravatar image

Hi community!

Our project aims to analyze the pcap file based on the dissection data we get from Wireshark.

I would like to know if there is any interface I can use directly to extract the information provided by wireshark, such as source address, destination address, and any other protocol specific information.

I know lua script can get the dissection data easily, with "Field" object. For example, to get the source address of a ipv4 data frame, use Field.new("ip.src"). But it is not a generic solution. It becomes cumbersome when we want to support many protocols.

So, is there any function to get information like protocol name, data for a certain field. Or is there any command in Tshark?

I hope I addressed my problem clearly and thanks for taking time to read my question!

Kind Regards

edit retag flag offensive close merge delete
add a comment

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-06-02 11:48:53 +0000

SYN-bit gravatar image

For a couple of fields, especially fields with only one occurrence per packet, the easiest way is to use tshark -T fields -e <field1> -e <field2> .... If you need the full dissection tree for the relationship between fields, the PDML output (-T pdml) or the JSON output (-T json) might be better options. Have a look at tshark -h or the manpage for all kinds of output options.

Here is an example of the -T fields output:

$ tshark -r icmp-vlan-test.pcapng -T fields -e vlan.id -e ip.src -e ip.dst
1667    91.132.51.132   198.51.100.10
1667    198.51.100.10   91.132.51.132
1667    103.30.42.149   198.51.100.10
1667    198.51.100.10   103.30.42.149
1667    103.56.114.166  198.51.100.10
1667    198.51.100.10   103.56.114.166
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
$
edit flag offensive delete link more
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

subscribe to rss feed

Stats

Asked: 2022-06-01 20:27:13 +0000

Seen: 750 times

Last updated: Jun 02 '22

Related questions

Wireshark public API for data

How to find the Apex Legends Store api endpoint?

How to get a diff for two or more packets in a stream

Regarding APIs changes/replacement in Latest Version in wireshark

tshark api to generate json from pcap

TLS RSA Key Extraction (Help/Hint Wanted)

How can I capture API endpoints sent to HTTPS from an Android App?

POST Request to API with Wireshark

How to provide subset TVB for the subsequent dissectors in Lua?