Write fields in hex format in tshark

Question

hi. can we print some fields of a packet in hex format in tshark? if we use :

tshark -r nbns.pcap -T fields -e frame.number -e ip.src -V > nbns.txt

the output(nbns.txt) is :

1 192.168.1.9

2 192.168.1.9

3 192.168.1.9

but i want to Write ip address in hex format(below).is it possible?

1 c0 a8 01 09

2 c0 a8 01 09

3 c0 a8 01 09

Accepted Answer

1

This can probably be optimized, but you can pipe the tshark output to other tools to transform it as you like, for example:

tshark -r nbns.pcap -T fields -e frame.number -e ip.src | sed 's/\./ /g' | sed 's/\r//g' | xargs printf '%d %02x %02x %02x %02x\n' | tee nbns.txt

answered 22 Apr '17, 14:55

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%

edited 22 Apr '17, 15:30

thanks, but when i run this command in tshark it says: sed in not recognizeds as an internal or external command,operable program or batch file. we use %02x %02x %02x %02x to printf ip address in hex format and know that ip address has 4 byte,but if we dont know fields length, how we can write them in hex format?

(22 Apr '17, 21:06) ghader

1

If you're running on Windows, that answer won't work, unless you happen to have UN*X tools such as sed, xargs, and printf installed on your machine (for example, through Cygwin); you'll have to find some other program or programs to transform the output into that format - TShark has no mechanism to produce that output directly.

(22 Apr '17, 21:13) Guy Harris ♦♦