Ask Your Question

Display Filters in TSHARK

asked 2023-05-14 13:18:48 +0000

chris200712 gravatar image

updated 2023-05-14 13:20:53 +0000

Simple question. I understand that in TSHARK you use the '-G fields' to get a list of fields to supply at the command line. Is there a way to do the same with Display Filters?

Just wondering about the quickest method or best practice in retrieving all information directly at the command line.

edit retag flag offensive close merge delete


Display filters are stored in the dfilters file.
(See WSUG - 11.6. Configuration Profiles, B.3. Configuration Files)

For a given profile specified with the -C option, you would like to dump contents of the dfilters file?

Chuckc gravatar imageChuckc ( 2023-05-14 13:45:56 +0000 )edit

Yes, but dump the GLOBAL configuration profile where all of the Display Filters reside.

To put it simply, I would like the same information I get from the Wireshark 'Display Filter' cheat sheet directly on the command line. If that is possible

I apologize if this is a N00b question, but trying to become as proficient as possible with TSHARK.

Take for instance, in WIRESHARK I can add a DISPLAY FILTER such as 'ip'. If I click on one of the elements in the packet details pane, I will be supplied with the field that DISPLAY FILER corresponds to such as ip.ttl. The equivalent -e option in TSHARK.

Another example:

tshark -r test.pcap -Y http.request -T fields -e -e http.user_agent.

How can I find all DISPLAY FILTERS associated with http, such as the command stated above directly from the command line? Also, will TSHARK ...(more)

chris200712 gravatar imagechris200712 ( 2023-05-15 03:03:35 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted

answered 2023-05-15 10:02:57 +0000

grahamb gravatar image

tshark -G fields will display all fields that may be used in display filters.

To then only see http fields, use your shell filter capabilities, e.g. for PowerShell:

tshark -G fields | Select-String -SimpleMatch "http."

Note that Powershell Select-String defaults to using a regex pattern so the "." would have to be escaped. Using the SimpleMatch flag disables the regex.

If you want ALL http fields (http, http2, http3) then I would use a regex to select those fields, e.g.

tshark -G fields | Select-String "http[2|3]?\."

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower


Asked: 2023-05-14 13:18:48 +0000

Seen: 57 times

Last updated: May 15