make tshark output ignore irrelevant fields

asked 2023-07-31 10:48:24 +0000

updated 2023-07-31 13:06:18 +0000

flag of United Kingdom of Great Britain and Northern Ireland

23790 ●4 ●951 ●227 https://www.wireshark.org

I am trying to get tshark to produce output similar to what wireshark does, ie show fields only relevant to the found protocols etc. for each line separately

if I use

-T fields -e ip.proto -e udp.srcport -e udp.dstport -e tcp.srcport -e tcp.dstport

or such, it does print the UDP fields empty if the current frame is TCP and vice versa

Is there a way to make it print protocol fields conditionally or n lieu of each other, something like (pretending that -c is 'condition':)

-Tfields -e ip.proto "\( (-c ip-proto==17 -e tcp.srcport -e tcp.dstport) -o (-c ip.proto==6 -e udp.srcport -e udp.dstport)"

or such. I do want all data in one line, if possible

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2023-07-31 14:50:14 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

You can also try directly specifying the columns you want instead of using -T fields and -e field1 ... -e fieldN. For example:

Windows:

tshark.exe -r file.pcap -Y "tcp or udp" -o "gui.column.format:\"IP Protocol\",\"%Cus:ip.proto\",\"Source Port\",\"%S\",\"Destination Port\",\"%D\""

*Nix:

tshark -r file.pcap -Y "tcp or udp" -o 'gui.column.format:"IP Protocol","%Cus:ip.proto","Source Port","%S","Destination Port","%D"'

NOTE: You can use %rS for resolved source ports, %uS for unresolved source ports, %rD for resolved destination ports, or %uD for unresolved destination ports.

For more help with specifying columns, run tshark -G column-formats.

edit flag offensive delete link

add a comment

answered 2023-07-31 12:52:22 +0000

Chuckc
2873 ●6 ●571 ●20

output similar to what wireshark does

Do you mean Src port (unresolved) and Dest port (unresolved) columns?

If so, you can print columns with tshark:

Column names may be used prefixed with "_ws.col."

The column names are not intuitive but can be found in epan/column.c:

    { COL_UNRES_DST_PORT, "Dest port (unresolved)" },
...
    { COL_UNRES_SRC_PORT, "Src port (unresolved)" },

The columns will need to exist in the profile you are using with tshark.
You could add them to a new profile and tell tshark use it with the -C option:

-C <configuration profile=""> Run with the given configuration profile.

~$ tshark -r tcptst.pcap -T fields -e tcp.srcport -e _ws.col.unres_src_port -e _ws.col.unres_dst_port
443     443     18082
443     443     18082
443     443     18082