Ask Your Question

Tshark command to output the original source and destination IPs of an icmp.type==3 code==4 packet.

asked 2019-03-02 04:17:05 +0000

wbenton gravatar image

updated 2019-03-02 08:53:09 +0000

Guy Harris gravatar image

I want to use a Tshark command to pick out the original icmp source and destination ip and dump it into a text file:

Example (shortened):

No.     Time                          Source                Destination           Protocol SrcPrt DstPrt Length Info
      1 2019-02-26 15:33:43.297203       ICMP     34945  443    590    Destination unreachable (Fragmentation needed)

Internet Protocol Version 4, Src:, Dst:
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 4 (Fragmentation needed)
    Checksum: 0x8a3c [correct]
    [Checksum Status: Good]
    Unused: 0000
    MTU of next hop: 1280
    Internet Protocol Version 4, Src:, Dst: <== I want these IP addresses dumped to a text file.

What Tshark command can I use to read in multiple files and only output the text source and IPs mentioned above?


edit retag flag offensive close merge delete


It's the second instance of tcp.src & tcp.dst that I'm interested in... not the first instance. The one in the ICMP header.

wbenton gravatar imagewbenton ( 2019-03-02 04:42:54 +0000 )edit

1 Answer

Sort by » oldest newest most voted

answered 2019-03-02 09:14:47 +0000

Guy Harris gravatar image

(Presumably you mean "ip.src" and "ip.dst", not "tcp.src" and "tcp.dst".)

To quote the tshark man page's description of the -T flag:

   −T  ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
   Set the format of the output when viewing decoded packet data.  The
   options are one of:


   fields The values of fields specified with the −e option, in a form
   specified by the −E option.  For example,

     tshark −T fields −E separator=, −E quote=d

   would generate comma‐separated values (CSV) output suitable for
   importing into your favorite spreadsheet program.

so you want -T fields.

To quote its description of the -e flag:

   −e  <field>
   Add a field to the list of fields to display if −T
   ek|fields|json|pdml is selected.  This option can be used multiple
   times on the command line.  At least one field must be provided if
   the −T fields option is selected. Column names may be used prefixed
   with "_ws.col."

   Example: tshark −e frame.number −e ip.addr −e udp −e _ws.col.Info

   Giving a protocol rather than a single field will print multiple
   items of data about the protocol as a single field.  Fields are
   separated by tab characters by default.  −E controls the format of
   the printed fields.

so you'll want -e ip.src and -e ip.dst.

And to quote its description of the -E flag:

   −E  <field print option>
   Set an option controlling the printing of fields when −T fields is

   Options are:


   occurrence=f|l|a Select which occurrence to use for fields that
   have multiple occurrences.  If f the first occurrence will be used,
   if l the last occurrence will be used and if a all occurrences will
   be used (this is the default).


The second occurrence of the ip.src and ip.dst fields is the last occurrence, so you want the last occurrence - -E occurrence=l. (Lower-case "l", not the digit "1".)

So you'd want

tshark -T fields -E occurrence=l -e ip.src -e ip.dst
edit flag offensive delete link more


Yes, I was looking for ip.src and ip.dst and your final answer [tshark -r icmp.code4.pcapng -T fields -E occurrence=l -e ip.src -e ip.dst] did the trick.

Thank you so very much.

wbenton gravatar imagewbenton ( 2019-03-03 08:52:35 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools


Asked: 2019-03-02 04:17:05 +0000

Seen: 936 times

Last updated: Mar 03 '19