Can I specify a raw port number as a tshark command -e option

Question

Hi,

I extract the tshark packet list fields into a CSV using:

tshark -2 -q -ta -T fields -E separator=, -E quote=d -E header=y -e frame.number -e _ws.col.Time -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport -e _ws.col.Info -r _file_name_

Rather than use tcp.srcport and tcp.dstport I'd like to include the port number from any transport protocol. I can do this in Wireshark by defining columns with Src port (unresolved) and Dest port (unresolved). Is there an equivalent for tshark command line parameters?

Thanks and regards...Paul

Answer 1

I'm not aware of a way to do this directly with Wireshark, but you might be able to write a Lua postdissector that utilizes field extractors of both the UDP and TCP source and destination ports and then add a new generic port number field which you can then specify on the tshark command-line, e.g., -e transport.srcport -e transport.dstport.

Another possible alternative might be to just specify the columns you want, but if you want them comma-separated in order to be able to export them to a CSV file, then that probably won't work for you. Here's what that might look like though:

tshark.exe -o "gui.column.format:\"No.\",\"%m\",\"Time\",\"%t\",\"Source\",\"%s\",\"Destination\",\"%d\",\"Source Port\",\"%S\",\"Destination Port\",\"%D\",\"Info\",\"%i\"" -r _file_name_

Run "tshark.exe -G column-formats" for a list of all the column format specifiers and their meaning.