THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question

Revision history  [back]

Revision 1
SYN-bit's avatar
18.5k
SYN-bit
answered 2022-06-02 11:48:53 +0000

For a couple of fields, especially fields with only one occurrence per packet, the easiest way is to use tshark -T fields -e <field1> -e <field2> .... If you need the full dissection tree for the relationship between fields, the PDML output (-T pdml) or the JSON output (-T json) might be better options. Have a look at tshark -h or the manpage for all kinds of output options.

Here is an example of the -T fields output:

$ tshark -r icmp-vlan-test.pcapng -T fields -e vlan.id -e ip.src -e ip.dst
1667    91.132.51.132   198.51.100.10
1667    198.51.100.10   91.132.51.132
1667    103.30.42.149   198.51.100.10
1667    198.51.100.10   103.30.42.149
1667    103.56.114.166  198.51.100.10
1667    198.51.100.10   103.56.114.166
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
$