This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark commands -e and -T

0

I want to print the information that I need of a PCAP file. I know that I can use the command "tshark -e":

tshark -r rdpcap.pcap -e ip.src -e ip.dst -e data -e frame.number -T fields

My question is: How can I display the "id source port", "id destination port"?

And for "-e data", is it possible to display just the first 8 bytes?

asked 02 May '12, 08:32

Alice's gravatar image

Alice
1333
accept rate: 0%

edited 02 May '12, 14:47

helloworld's gravatar image

helloworld
3.1k42041


One Answer:

1

I guess you are interested in tcp.srcport and tcp.dstport, so please use this:

tshark -i 1 -n -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e data -T fields

If you need the UDP source port, replace tcp with udp, e.g. udp.srcport.

And for "-e data", is it possible to display juste the first 8 bytes?

Unfortunately, this is not possible. However, you can limit the total packet size with editcap, effectively getting only 8 bytes of data, at least in the most cases.

Capture

tshark -i 1 -n -w http.pcap

Truncate

editcap.exe -s62  http.pcap http_truncated.pcap

Print

tshark -i 1 -n -e frame.number -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e data -T fields -r http_truncated.pcap

Regards
Kurt

answered 02 May '12, 11:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 03 May '12, 15:46

helloworld's gravatar image

helloworld
3.1k42041

Thanks you. I tried "-e udp.srcport", that works!! I have another question, that will be so nice if you can help me again. If i want to print the ID, is there something like "-e id.src, -e id.dst" ? I tried this command, but it doesn't work. And for "-e frame.time", i just want to display "Mai 3, 2012 10:00:00", not like "Mai 3, 2012 10:00:00:958252000", can I?

Regards

(03 May '12, 00:59) Alice

What is the element you are calling "id"? To see (most) of the element names that you can supply to -e open the capture in the Wireshark GUI click on the field you are interested in in the packet tree and the status bar will show you the field name.

There are a number of other frame.timeXXX fields, you could use but they all display fractional seconds. The format you require doesn't appear to be supported, and the -t and -u parameters don't affect field values.

(03 May '12, 02:29) grahamb ♦

what do you meand by "ID"? Is it the IP ID? If yes, please use -e ip.id"

(03 May '12, 03:59) Kurt Knochner ♦