Ask Your Question

How to write filter in tshark to get only data I need?

asked 2023-04-05 10:43:47 +0000

pac122 gravatar image

updated 2023-04-05 10:46:06 +0000

I would like to capture database name, userid and passwords into JSON file. I would like to get the following output:

In above image: DB01 is database name, dbpw is password and db2inst1 is userid.

In tshark I have written bellow command:

tshark.exe -i 6 -f "tcp dst port 60127" -Y "drda.param.codepoint == 0x11a1" -T json -e "drda.param.codepoint" -e "" > c:\temp\wireshark.json

At the same time I captured traffic in Wireshark 4.0.4 just to get the same data graphically, because it is easier to imagine which data are captured.

Bellow image:

  • left side (Wireshark)
  • right side (tshark)

Problem is I get too much data.

How to write display filter in tshark to only get the data I want (first image in this post)?


edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted

answered 2023-04-05 13:05:24 +0000

Chuckc gravatar image

There is an open issue:
18499: tshark's -T fields should support displaying instances of fields using "-e field#N" format, similar to how the new Wireshark 4.0.0 display filter syntax works.

Would you be interested in a Lua script to gather the data into a new field that could be exported?

edit flag offensive delete link more


If I understand correctly #N syntax e.g. #2 should display second occurrence if there are multiple options. I have captured many files and I see the number of occurrences differ. I can never say like second occurrence is the data I want.

Actually what I would like to have is display such where immediate before parameter value is drda.param.codepoint == 0x11a1.

Yes, sure Lau script would be nice, but I have never even heard about Lua language, so my knowledge is null.

pac122 gravatar imagepac122 ( 2023-04-05 16:26:53 +0000 )edit

Sample capture on the Wireshark wiki: drda_db2_sample.tgz
(It's a pcap inside a tar inside a gzip)
For drda.param.codepoint in {0x2110, 0x11a1, 0x11a0} you would like drda.param.codepoint and ?

Chuckc gravatar imageChuckc ( 2023-04-05 16:53:29 +0000 )edit

For the sample capture mentioned above, this is the output with Lua script to extract EBCDIC data for a list of specific codepoints
(ignore -C Guacamole - Default profile is hosed at the moment)

p$ tshark -C Guacamole -r drda_db2_sample.cap -T json -e easypost.data_ebcdic -Y "drda.param.codepoint == 0x11a1"
    "_index": "packets-2007-04-02",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "easypost.data_ebcdic": [
          "MYDB2DB           ",
          "MYDB2DB           "
Chuckc gravatar imageChuckc ( 2023-04-05 21:07:53 +0000 )edit

I checked the DRDA sample from Wireshark samples and I see you have one entry too much in output. In this case in TCP packet there are two PDUs. I only need data from SECCHK PDU.

pac122 gravatar imagepac122 ( 2023-04-06 07:00:47 +0000 )edit

There is not a relationship between the drda.ddm.codepoint and drda.param.codepoint fields.

Code point: SECCHK (0x106e) - drda.ddm.codepoint
Code point: ACCRDB (0x2001) - drda.ddm.codepoint

Code point: SECMEC (0x11a2) - drda.param.codepoint
Code point: RDBNAM (0x2110) - drda.param.codepoint
Code point: USRID (0x11a0) - drda.param.codepoint
Code point: PASSWORD (0x11a1) - drda.param.codepoint

Are the parameters you're after always part of a SECMEC (0x11a2?
Or are they always in the same order - RDBNAM (0x2110), USRID (0x11a0), PASSWORD (0x11a1)?

Chuckc gravatar imageChuckc ( 2023-04-06 13:50:44 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-04-05 10:43:47 +0000

Seen: 559 times

Last updated: Apr 05 '23