I am using ubuntu 14.10 and doing some post-processing on output from tshark tshark -r pcapFile -V -P -x. The problem is, the format of info line looks different between versions.
On TShark 1.10.6
6 0.000569 10.10.11.37 46145 10.10.10.161 80 HTTP 152 GET / HTTP/1.0
On TShark 1.12.1
6 0.000569 10.10.11.37 -> 10.10.10.161 HTTP 152 GET / HTTP/1.0
On the version 1.12.1, I don't see the port numbers (src, dst) as on version 1.10.6.
I am thinking of using a standalone tshark executable (say for 1.10.6), but the current tshark has lots of dependencies. Wonder where to get one or how to create one. Thanks.
Edit 1 I need the output to be like the following. The problem is, if I use "-T" options for tshark to influence the output of "info" line (the first line), I will not be able to have the rest of the output lines.
4 0.000342 10.10.10.161 -> 10.10.11.37 TCP 62 80→46145 [SYN, ACK] Seq=0 Ack=1 Win=5840 Len=0 MSS=1460 SACK_PERM=1
Frame 4: 62 bytes on wire (496 bits), 62 bytes captured (496 bits)
Encapsulation type: Ethernet (1)
Arrival Time: Sep 18, 2009 10:53:55.465815000 CDT
[Time shift for this packet: 0.000000000 seconds]
Epoch Time: 1253289235.465815000 seconds
[Time delta from previous captured frame: 0.000178000 seconds]
[Time delta from previous displayed frame: 0.000178000 seconds]
[Time since reference or first frame: 0.000342000 seconds]
Frame Number: 4
Frame Length: 62 bytes (496 bits)
Capture Length: 62 bytes (496 bits)
[Frame is marked: False]
[Frame is ignored: False]
[Protocols in frame: eth:ethertype:ip:tcp]
Ethernet II, Src: Dell_8c:d7:8c (00:13:72:8c:d7:8c), Dst: Dell_32:44:cb (00:1e:c9:32:44:cb)
Destination: Dell_32:44:cb (00:1e:c9:32:44:cb)
Address: Dell_32:44:cb (00:1e:c9:32:44:cb)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Source: Dell_8c:d7:8c (00:13:72:8c:d7:8c)
Address: Dell_8c:d7:8c (00:13:72:8c:d7:8c)
.... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
.... ...0 .... .... .... .... = IG bit: Individual address (unicast)
Type: IP (0x0800)
Internet Protocol Version 4, Src: 10.10.10.161 (10.10.10.161), Dst: 10.10.11.37 (10.10.11.37)
Version: 4
Header Length: 20 bytes
Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00: Not-ECT (Not ECN-Capable Transport))
0000 00.. = Differentiated Services Codepoint: Default (0x00)
.... ..00 = Explicit Congestion Notification: Not-ECT (Not ECN-Capable Transport) (0x00)
Total Length: 48
Identification: 0x0000 (0)
Flags: 0x02 (Don't Fragment)
0... .... = Reserved bit: Not set
.1.. .... = Don't fragment: Set
..0. .... = More fragments: Not set
Fragment offset: 0
Time to live: 64
Protocol: TCP (6)
Header checksum: 0x10ef [validation disabled]
[Good: False]
[Bad: False]
Source: 10.10.10.161 (10.10.10.161)
Destination: 10.10.11.37 (10.10.11.37)
[Source GeoIP: Unknown]
[Destination GeoIP: Unknown]
Transmission Control Protocol, Src Port: 80 (80), Dst Port: 46145 (46145), Seq: 0, Ack: 1, Len: 0
Source Port: 80 (80)
Destination Port: 46145 (46145)
[Stream index: 0]
[TCP Segment Len: 0]
Sequence number: 0 (relative sequence number)
Acknowledgment number: 1 (relative ack number)
Header Length: 28 bytes
.... 0000 0001 0010 = Flags: 0x012 (SYN, ACK)
000. .... .... = Reserved: Not set
...0 .... .... = Nonce: Not set
.... 0... .... = Congestion Window Reduced (CWR): Not set
.... .0.. .... = ECN-Echo: Not set
.... ..0. .... = Urgent: Not set
.... ...1 .... = Acknowledgment: Set
.... .... 0... = Push: Not set
.... .... .0.. = Reset: Not set
.... .... ..1. = Syn: Set
[Expert Info (Chat/Sequence): Connection establish acknowledge (SYN+ACK): server port 80]
[Connection establish acknowledge (SYN+ACK): server port 80]
[Severity level: Chat]
[Group: Sequence]
.... .... ...0 = Fin: Not set
Window size value: 5840
[Calculated window size: 5840]
Checksum: 0x3044 [validation disabled]
[Good Checksum: False]
[Bad Checksum: False]
Urgent pointer: 0
Options: (8 bytes), Maximum segment size, No-Operation (NOP), No-Operation (NOP), SACK permitted
Maximum segment size: 1460 bytes
Kind: Maximum Segment Size (2)
Length: 4
MSS Value: 1460
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
No-Operation (NOP)
Type: 1
0... .... = Copy on fragmentation: No
.00. .... = Class: Control (0)
...0 0001 = Number: No-Operation (NOP) (1)
TCP SACK Permitted Option: True
Kind: SACK Permitted (4)
Length: 2
[SEQ/ACK analysis]
[This is an ACK to the segment in frame: 3]
[The RTT to ACK the segment was: 0.000178000 seconds]
0000 00 1e c9 32 44 cb 00 13 72 8c d7 8c 08 00 45 00 …2D…r…..E.
0010 00 30 00 00 40 00 40 06 10 ef 0a 0a 0a a1 0a 0a [email protected]@………
0020 0b 25 00 50 b4 41 3e 1b 68 16 f0 9d c6 c0 70 12 .%.P.A>.h…..p.
0030 16 d0 30 44 00 00 02 04 05 b4 01 01 04 02 ..0D……….
asked 17 May ‘15, 20:30
pktUser1001
201●49●50●54
accept rate: 12%
Thanks @Kurt for the quick response at this time. I need both the info line (the first line) to be in the right format (like by tshark v 1.10.6) and also the other outputs from
tshark -r pcapFile -V -P -x.as I've written: You can either use -T fields to craft your own output version and modify your parser script (this would be the most flexibel option), or you can modify the column-formats to get it as close as possible to the old 1.10.x style. It won't be the same, but "somehow" close.
Post processing output should always be done on machine readable output (produced by set rules as defined by -T fields options), i.s.o. human readable output as produced by Tshark without these options.
When machine readable output is unavailable human readable output can be used, but, as you've noticed, may vary from version to version, which can make scripting/post processing a bit of a pain.
Thanks again, I updated the question on why using "-T fields" is not enough for my case.
see the ++ Update ++ in my answer.
Thanks @Kurt for the updated answer. It works great!