Simple question. I understand that in TSHARK you use the '-G fields' to get a list of fields to supply at the command line. Is there a way to do the same with Display Filters?
Just wondering about the quickest method or best practice in retrieving all information directly at the command line.
tshark -G fields will display all fields that may be used in display filters.
To then only see http fields, use your shell filter capabilities, e.g. for PowerShell:
tshark -G fields | Select-String -SimpleMatch "http."
Note that Powershell Select-String defaults to using a regex pattern so the "." would have to be escaped. Using the SimpleMatch flag disables the regex.
If you want ALL http fields (http, http2, http3) then I would use a regex to select those fields, e.g.
tshark -G fields | Select-String "http[2|3]?\."
Comments
Display filters are stored in the
dfiltersfile.(See WSUG - 11.6. Configuration Profiles, B.3. Configuration Files)
For a given profile specified with the
-Coption, you would like to dump contents of thedfiltersfile?Yes, but dump the GLOBAL configuration profile where all of the Display Filters reside.
To put it simply, I would like the same information I get from the Wireshark 'Display Filter' cheat sheet directly on the command line. If that is possible
I apologize if this is a N00b question, but trying to become as proficient as possible with TSHARK.
Take for instance, in WIRESHARK I can add a DISPLAY FILTER such as 'ip'. If I click on one of the elements in the packet details pane, I will be supplied with the field that DISPLAY FILER corresponds to such as ip.ttl. The equivalent -e option in TSHARK.
Another example:
tshark -r test.pcap -Y http.request -T fields -e http.host -e http.user_agent.
How can I find all DISPLAY FILTERS associated with http, such as the command stated above directly from the command line? Also, will TSHARK ... (more)