First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Best way to get just one packet

I want to extract some information from a pcap file that was generated without any filter.

But, all I need to extract that info is one frame.

What I'm currently doing is something like this:

good_frame=$(tshark -r file.pcap -Y 'filter expression'  -T fields -e frame.number | head -n1)
tshark -r file.pcap -Y 'frame.number=="$good_frame"' -T fields -e desired.field1 -e desired.field2

Is there a better way to do it?

I was thinking something like:

tshark -r file.pcap -Y 'filter expression' -c 1 -w - | tshark - -T fields -e desired.field1 -e desired.field2
leonardus's avatar
3
leonardus
asked 2022-11-28 03:41:52 +0000
edit flag offensive 0 remove flag close merge delete

Comments

But, all I need to extract that info is one frame.

How do you determine that frame number? Is it the first frame in the file that matches some filter expression, as you "What I'm currently doing" example suggests?

Guy Harris's avatar Guy Harris (2022-11-28 05:56:37 +0000) edit
more
  • delete

Correct. I'll filter for one protocol to find out whether that particular pcap file contains it. Then if it does, I get the first frame and work with that.

leonardus's avatar leonardus (2022-11-30 02:38:21 +0000) edit
more
  • delete
add a comment see more comments

2 Answers

1

You can use the option -c for count in combination with a read filter, options -2R, to filter out only the first hit on the filter. Thus:

tshark -r file.pcap -2R 'filter expression' -c 1 -T fields -e desired.field1 -e desired.field2

The reason is that a read filter causes the frame numbers to be renumbered. So frame number 1 contains the first hit.

Using a display filter like this -Y 'filter expression' -c 1 only works if the first packet in the capture file happens to match the filter, because the -c limits the amount of packets read from the file.

This and other tricks is shown in the tshark sessions at https://sharkfesteurope.wireshark.org...

André's avatar
176
André
answered 2022-11-28 17:54:01 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Reading the documentation for -2 and -R, this makes a lot of sense. Thanks.

leonardus's avatar leonardus (2022-11-30 02:44:19 +0000) edit
more
  • delete
add a comment see more comments
0

tshark -r file.pcap -Y 'filter expression' -c 1 -T fields -e desired.field1 -e desired.field2

7ACE's avatar
40
7ACE
answered 2022-11-28 05:34:37 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer