Ask Your Question
0

Tshark command to output the original source and destination IPs of an icmp.type==3 code==4 packet.

asked 2019-03-02 04:17:05 +0000

wbenton gravatar image

updated 2019-03-02 08:53:09 +0000

Guy Harris gravatar image

I want to use a Tshark command to pick out the original icmp source and destination ip and dump it into a text file:

Example (shortened):

No.     Time                          Source                Destination           Protocol SrcPrt DstPrt Length Info
      1 2019-02-26 15:33:43.297203    10.74.192.78          192.168.128.112       ICMP     34945  443    590    Destination unreachable (Fragmentation needed)

Internet Protocol Version 4, Src: 10.74.192.78, Dst: 192.168.128.112
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 4 (Fragmentation needed)
    Checksum: 0x8a3c [correct]
    [Checksum Status: Good]
    Unused: 0000
    MTU of next hop: 1280
    Internet Protocol Version 4, Src: 192.168.128.112, Dst: 36.92.190.198 <== I want these IP addresses dumped to a text file.

What Tshark command can I use to read in multiple files and only output the text source and IPs mentioned above?

Cheers,

edit retag flag offensive close merge delete

Comments

It's the second instance of tcp.src & tcp.dst that I'm interested in... not the first instance. The one in the ICMP header.

wbenton gravatar imagewbenton ( 2019-03-02 04:42:54 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
1

answered 2019-03-02 09:14:47 +0000

Guy Harris gravatar image

(Presumably you mean "ip.src" and "ip.dst", not "tcp.src" and "tcp.dst".)

To quote the tshark man page's description of the -T flag:

   −T  ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
   Set the format of the output when viewing decoded packet data.  The
   options are one of:

    ...

   fields The values of fields specified with the −e option, in a form
   specified by the −E option.  For example,

     tshark −T fields −E separator=, −E quote=d

   would generate comma‐separated values (CSV) output suitable for
   importing into your favorite spreadsheet program.

so you want -T fields.

To quote its description of the -e flag:

   −e  <field>
   Add a field to the list of fields to display if −T
   ek|fields|json|pdml is selected.  This option can be used multiple
   times on the command line.  At least one field must be provided if
   the −T fields option is selected. Column names may be used prefixed
   with "_ws.col."

   Example: tshark −e frame.number −e ip.addr −e udp −e _ws.col.Info

   Giving a protocol rather than a single field will print multiple
   items of data about the protocol as a single field.  Fields are
   separated by tab characters by default.  −E controls the format of
   the printed fields.

so you'll want -e ip.src and -e ip.dst.

And to quote its description of the -E flag:

   −E  <field print option>
   Set an option controlling the printing of fields when −T fields is
   selected.

   Options are:

    ...

   occurrence=f|l|a Select which occurrence to use for fields that
   have multiple occurrences.  If f the first occurrence will be used,
   if l the last occurrence will be used and if a all occurrences will
   be used (this is the default).

    ...

The second occurrence of the ip.src and ip.dst fields is the last occurrence, so you want the last occurrence - -E occurrence=l. (Lower-case "l", not the digit "1".)

So you'd want

tshark -T fields -E occurrence=l -e ip.src -e ip.dst
edit flag offensive delete link more

Comments

Yes, I was looking for ip.src and ip.dst and your final answer [tshark -r icmp.code4.pcapng -T fields -E occurrence=l -e ip.src -e ip.dst] did the trick.

Thank you so very much.

wbenton gravatar imagewbenton ( 2019-03-03 08:52:35 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2019-03-02 04:17:05 +0000

Seen: 1,606 times

Last updated: Mar 03 '19

Related questions

DNS Query answer with ICMP Code 3 - Type

Trouble reaching IPv4 websites