This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

control of tshark -V output

0

Is there a way to print the packet details of only a specific layer/protocol while ignoring or summarizing the rest? For example, I want to compress this:

Frame 1: 48 bytes on wire (384 bits), 48 bytes captured (384 bits)
    Arrival Time: May 22, 2011 02:07:16.384560000 PDT
    Epoch Time: 1306217236.384560000 seconds
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 48 bytes (384 bits)
    Capture Length: 48 bytes (384 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth:ip:udp:foo]
Ethernet II, Src: Abcd_FF:FF:FF (FF:FF:FF:FF:FF:FF), Dst: Cisco-Li_FF:FF:FF (FF:FF:FF:FF:FF:FF)
    Destination: 
        Address: 
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Source: 
        Address: 
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 1.2.3.4 (1.2.3.4)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 34
    Identification: 0x6af2 (27378)
    Flags: 0x00
        0... .... = Reserved bit: Not set
        .0.. .... = Don't fragment: Not set
        ..0. .... = More fragments: Not set
    Fragment offset: 0
    Time to live: 64
    Protocol: UDP (17)
    Header checksum: 0x0000 [validation disabled]
        [Good: False]
        [Bad: False]
    Source: 192.168.1.2 (192.168.1.2)
    Destination: 1.2.3.4 (1.2.3.4)
User Datagram Protocol, Src Port: 49589 (49589), Dst Port: cbt (7777)
    Source port: 49589 (49589)
    Destination port: cbt (7777)
    Length: 14
    Checksum: 0xc64f [validation disabled]
        [Good Checksum: False]
        [Bad Checksum: False]
Foo Protocol
        Field A: 68656c
        Field B: 0xf4240

into this:

 Frame 1: 48 bytes on wire (384 bits), 48 bytes captured (384 bits)
 Internet Protocol, Src: 192.168.1.2 (192.168.1.2), Dst: 1.2.3.4 (1.2.3.4)
 User Datagram Protocol, Src Port: 49589 (49589), Dst Port: cbt (7777)
 Foo Protocol
        Field A: 68656c
        Field B: 0xf4240

asked 23 May '11, 23:18

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

One Answer:

3

Yes, that is possible, but was only added to the repository very recently. I'm not sure whether it has made it into 1.6.0rc1 but you could try. If it's not in there, you'd have to use an automated build version, compile your own or wait for 1.7.0 to come out.

From the 'tshark -h' output:

-O <protocols>           Only show packet details of these protocols, comma
                         separated

answered 24 May '11, 01:48

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%