THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Extract Information from Wireshark

Hi community!

Our project aims to analyze the pcap file based on the dissection data we get from Wireshark.

I would like to know if there is any interface I can use directly to extract the information provided by wireshark, such as source address, destination address, and any other protocol specific information.

I know lua script can get the dissection data easily, with "Field" object. For example, to get the source address of a ipv4 data frame, use Field.new("ip.src"). But it is not a generic solution. It becomes cumbersome when we want to support many protocols.

So, is there any function to get information like protocol name, data for a certain field. Or is there any command in Tshark?

I hope I addressed my problem clearly and thanks for taking time to read my question!

Kind Regards

Ke's avatar
5
Ke
asked 2022-06-01 20:27:13 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

For a couple of fields, especially fields with only one occurrence per packet, the easiest way is to use tshark -T fields -e <field1> -e <field2> .... If you need the full dissection tree for the relationship between fields, the PDML output (-T pdml) or the JSON output (-T json) might be better options. Have a look at tshark -h or the manpage for all kinds of output options.

Here is an example of the -T fields output:

$ tshark -r icmp-vlan-test.pcapng -T fields -e vlan.id -e ip.src -e ip.dst
1667    91.132.51.132   198.51.100.10
1667    198.51.100.10   91.132.51.132
1667    103.30.42.149   198.51.100.10
1667    198.51.100.10   103.30.42.149
1667    103.56.114.166  198.51.100.10
1667    198.51.100.10   103.56.114.166
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
97  10.0.0.101  198.51.100.10
1667    10.0.0.101  198.51.100.10
1667    198.51.100.10   10.0.0.101
97  198.51.100.10   10.0.0.101
$
SYN-bit's avatar
18.5k
SYN-bit
answered 2022-06-02 11:48:53 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer