Tshark export object with IPs
While exporting objects with Tshark there is the possibility to ask for the IPs involved?
I need to recover the information about IP sender and IP receiver of the file
2 Answers
- Sort by
oldest newest most voted
0
There is a pcap attached to this Bugzilla for testing.
Tshark extract: 2030180 Apr 16 16:12 002804-1-Secondary-Capture-Image-Storage.dcm
Wireshark extract: 2029854 Apr 16 16:14 002804-1-1.2.276.0.7230010.3.1.4.341615093.12584.1428680298.845.dcm
The start of each filename contains the last packet/frame number (2804) of the object:
filename = wmem_strdup_printf(wmem_packet_scope(), "%06d-%d-%s.dcm", pinfo->num, cnt_same_pkt,
g_strcanon(pdv_curr->sop_instance_uid, G_CSET_A_2_Z G_CSET_a_2_z G_CSET_DIGITS "-.", '-'));
$ tshark -r ./test.cap -Y "frame.number==2804" -T fields -e ip.src -e ip.dst
165.226.145.190 165.226.144.126
0
There is no general mechanism to add that to the file contents, as not all file types support adding, for example, comments.
We could add an option to "Export Objects" to add the IP endpoints, either resolved (as host names if possible) or as addresses, to the file names.
This should be filed as an enhancement request on the Wireshark Bugzilla.
Your Answer
Please start posting anonymously - your entry will be published after you log in or create a new account.
This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.
Comments
What objects are you exporting? Also tshark version?
I'm exporting dicom objects. Tshark version is 3.2.2