Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2023-04-05 10:43:47 +0000

pac122 gravatar image

How to write filter in tshark to get only data I need?

I would like to capture database name, userid and passwords into JSON file. I would like to get the following output:

In above image: DB is database name, dbpw is password and db2inst1 is userid.

In tshark I have written bellow command:

tshark.exe -i 6 -f "tcp dst port 60127" -Y "drda.param.codepoint == 0x11a1" -T json -e "drda.param.codepoint" -e "drda.param.data.ebcdic" > c:\temp\wireshark.json

At the same time I captured traffic in Wireshark 4.0.4 just to get the same data graphically, because it is easier to imagine which data are captured.

Bellow image: - left side (Wireshark) - right side (tshark)

Problem is I get too much data. How to write display filter in tshark to only get the data I want (first image in this post)? Thanks

How to write filter in tshark to get only data I need?

I would like to capture database name, userid and passwords into JSON file. I would like to get the following output:

In above image: DBDB01 is database name, dbpw is password and db2inst1 is userid.

In tshark I have written bellow command:

tshark.exe -i 6 -f "tcp dst port 60127" -Y "drda.param.codepoint == 0x11a1" -T json -e "drda.param.codepoint" -e "drda.param.data.ebcdic" > c:\temp\wireshark.json

At the same time I captured traffic in Wireshark 4.0.4 just to get the same data graphically, because it is easier to imagine which data are captured.

Bellow image: - left side (Wireshark) - right side (tshark)

Problem is I get too much data. How to write display filter in tshark to only get the data I want (first image in this post)? Thanks

How to write filter in tshark to get only data I need?

I would like to capture database name, userid and passwords into JSON file. I would like to get the following output:

In above image: DB01 is database name, dbpw is password and db2inst1 is userid.

In tshark I have written bellow command:

tshark.exe -i 6 -f "tcp dst port 60127" -Y "drda.param.codepoint == 0x11a1" -T json -e "drda.param.codepoint" -e "drda.param.data.ebcdic" > c:\temp\wireshark.json

At the same time I captured traffic in Wireshark 4.0.4 just to get the same data graphically, because it is easier to imagine which data are captured.

Bellow image: - image:

  • left side (Wireshark) - (Wireshark)
  • right side (tshark)

Problem is I get too much data. How to write display filter in tshark to only get the data I want (first image in this post)? Thanks

How to write filter in tshark to get only data I need?

I would like to capture database name, userid and passwords into JSON file. I would like to get the following output: output:

In above image: DB01 is database name, dbpw is password and db2inst1 is userid.

In tshark I have written bellow command:

tshark.exe -i 6 -f "tcp dst port 60127" -Y "drda.param.codepoint == 0x11a1" -T json -e "drda.param.codepoint" -e "drda.param.data.ebcdic" > c:\temp\wireshark.json

At the same time I captured traffic in Wireshark 4.0.4 just to get the same data graphically, because it is easier to imagine which data are captured.

Bellow image:

  • left side (Wireshark)
  • right side (tshark)

Problem is I get too much data. data.

How to write display filter in tshark to only get the data I want (first image in this post)? post)?

Thanks