Ask Your Question
0

Extract Information from Wireshark

asked 2022-06-01 20:27:13 +0000

Ke gravatar image

Hi community!

Our project aims to analyze the pcap file based on the dissection data we get from Wireshark.

I would like to know if there is any interface I can use directly to extract the information provided by wireshark, such as source address, destination address, and any other protocol specific information.

I know lua script can get the dissection data easily, with "Field" object. For example, to get the source address of a ipv4 data frame, use Field.new("ip.src"). But it is not a generic solution. It becomes cumbersome when we want to support many protocols.

So, is there any function to get information like protocol name, data for a certain field. Or is there any command in Tshark?

I hope I addressed my problem clearly and thanks for taking time to read my question!

Kind Regards

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2022-06-02 11:48:53 +0000

SYN-bit gravatar image

For a couple of fields, especially fields with only one occurrence per packet, the easiest way is to use tshark -T fields -e <field1> -e <field2> .... If you need the full dissection tree for the relationship between fields, the PDML output (-T pdml) or the JSON output (-T json) might be better options. Have a look at tshark -h or the manpage for all kinds of output options.

Here is an example of the -T fields output:

$ tshark -r icmp-vlan-test.pcapng -T fields -e vlan.id -e ip.src -e ip.dst
1667    91.132.51.132   198.51.100.10
1667    198.51.100.10   91.132.51.132
1667    103.30.42.149   198.51.100.10
1667    198.51.100.10   103.30.42.149
1667    103.56.114.166  198.51.100.10
1667    198.51.100.10   103.56.114.166
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
$
edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2022-06-01 20:27:13 +0000

Seen: 183 times

Last updated: Jun 02