Ask Your Question

Revision history [back]

make tshark output ignore irrelevant fields

I am trying to get tshark to produce output similar to what wireshark does, ie show fields only relevant to the found protocols etc. for each line separately

if I use -T fields -e ip.proto -e udp.srcport -e udp.dstport -e tcp.srcport -e tcp.dstport or such, it does print the UDP fields empty if the current frame is TCP and vice versa

Is there a way to make it print protocol fields conditionally or n lieu of each other, something like (pretending that -c is 'condition':)

-Tfields -e ip.proto "( (-c ip-proto==17 -e tcp.srcport -e tcp.dstport) -o (-c ip.proto==6 -e udp.srcport -e udp.dstport)"

or such. I do want all data in one line, if possible

click to hide/show revision 2
None

updated 2023-07-31 13:06:18 +0000

grahamb gravatar image

make tshark output ignore irrelevant fields

I am trying to get tshark to produce output similar to what wireshark does, ie show fields only relevant to the found protocols etc. for each line separately

if I use use

-T fields -e ip.proto -e udp.srcport -e udp.dstport -e tcp.srcport -e tcp.dstport

or such, it does print the UDP fields empty if the current frame is TCP and vice versa

Is there a way to make it print protocol fields conditionally or n lieu of each other, something like (pretending that -c is 'condition':)

-Tfields -e ip.proto "( "\( (-c ip-proto==17 -e tcp.srcport -e tcp.dstport) -o (-c ip.proto==6 -e udp.srcport -e udp.dstport)"
udp.dstport)"

or such. I do want all data in one line, if possible