Problem with tshark and plain text output with column names

edit

$ tshark -r ./nfl.pcapng  -T fields -e _ws.col.Time -e ip.src -e ip.dst -e _ws.col.Info -Eheader=y -c 3 -t ad

_ws.col.Time    ip.src  ip.dst  _ws.col.Info
2018-10-11 18:00:49.189070      192.168.1.70    72.21.91.29     54042 â+' 80 [ACK] Seq=1 Ack=1 Win=253 Len=1
2018-10-11 18:00:49.198412      72.21.91.29     192.168.1.70    80 â+' 54042 [ACK] Seq=1 Ack=2 Win=288 Len=0 SLE=1 SRE=2
2018-10-11 18:00:49.270602      192.168.1.70    23.62.236.26    54000 â+' 80 [ACK] Seq=1 Ack=1 Win=255 Len=1
$

Time formats available with -t:

  -t a|ad|d|dd|e|r|u|ud|?  output format of time stamps (def: r: rel. to first)
        "a"    for absolute
        "ad"   for absolute with YYYY-MM-DD date
        "adoy" for absolute with YYYY/DOY date
        "d"    for delta
        "dd"   for delta displayed
        "e"    for epoch
        "r"    for relative
        "u"    for absolute UTC
        "ud"   for absolute UTC with YYYY-MM-DD date
        "udoy" for absolute UTC with YYYY/DOY date

https://www.wireshark.org/docs/man-pa...

-e <field>
Add a field to the list of fields to display if -T ek|fields|json|pdml is selected. This option can be used multiple times on the command line. At least one field must be provided if the -T fields option is selected. Column names may be used prefixed with "_ws.col."

Example: tshark -e frame.number -e ip.addr -e udp -e _ws.col.Info

Giving a protocol rather than a single field will print multiple items of data about the protocol as a single field. Fields are separated by tab characters by default. -E controls the format of the printed fields.

If by "human-readable, plain text output file with the correct columns" you mean output like the packet summary pane in Wireshark, there is an alternative to -T, -E, and -e.

Just try running, for example, "c:\Program Files\Wireshark\tshark.exe" -r D:\capturefiles\Daily-capture-2019-11-10_00001_20191110143657.pcap.

That defaults to printing the columns you've set up in Wireshark or, if you've never edited the column list in Wireshark, the default column list. You can set the column list by passing the argument -o gui.column.format:cols, where cols is a string containing a sequence of column title/column type pairs, with commas separating the column title and the corresponding type following it, as well as separating a column type from the next column's title.

The column titles must be quoted, with double quotes, if they contain spaces; that would require that the entire argument be quoted, and that the quoted argument itself contain quotes - that can be done on UN*X command lines by using single quotes for the entire argument and double quotes for the column titles, or by using double quotes for the entire argument and escaping the double quotes around the column titles with backslashes; I'm not sure how to do that on Windows command lines.

The column types are currently documented only in the output of tshark -G column-formats. %Cus is described as just "Custom"; that's used for custom columns that use a packet field, and the syntax is %Cus:{name}:{instance}:{resolved}, where {name} is the field name, {instance} is the ordinal number of the instance to display (0-origin, so 0 is the first instance in the packet, 1 is the second instance in the packet, etc.), and {resolved}is either R if the column is "resolved" or U if it's "unresolved". The distinction between "resolved" and "unresolved" is not documented and is not clear; it doesn't seem to work in a sensible fashion for the arp.opcode field, as the "unresolved" version is blank rather than the numerical value of the opcode.

There is currently no mechanism to cause the column titles to be written out as the first line.