First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

make tshark output ignore irrelevant fields

  • retag add tags

I am trying to get tshark to produce output similar to what wireshark does, ie show fields only relevant to the found protocols etc. for each line separately

if I use

-T fields -e ip.proto -e udp.srcport -e udp.dstport -e tcp.srcport -e tcp.dstport

or such, it does print the UDP fields empty if the current frame is TCP and vice versa

Is there a way to make it print protocol fields conditionally or n lieu of each other, something like (pretending that -c is 'condition':)

-Tfields -e ip.proto "\( (-c ip-proto==17 -e tcp.srcport -e tcp.dstport) -o (-c ip.proto==6 -e udp.srcport -e udp.dstport)"

or such. I do want all data in one line, if possible

Mathias's avatar
1
Mathias
asked 2023-07-31 10:48:24 +0000
grahamb's avatar
23.8k
grahamb
updated 2023-07-31 13:06:18 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

0

You can also try directly specifying the columns you want instead of using -T fields and -e field1 ... -e fieldN. For example:

Windows:

tshark.exe -r file.pcap -Y "tcp or udp" -o "gui.column.format:\"IP Protocol\",\"%Cus:ip.proto\",\"Source Port\",\"%S\",\"Destination Port\",\"%D\""

*Nix:

tshark -r file.pcap -Y "tcp or udp" -o 'gui.column.format:"IP Protocol","%Cus:ip.proto","Source Port","%S","Destination Port","%D"'

NOTE: You can use %rS for resolved source ports, %uS for unresolved source ports, %rD for resolved destination ports, or %uD for unresolved destination ports.

For more help with specifying columns, run tshark -G column-formats.

cmaynard's avatar
11.1k
cmaynard
answered 2023-07-31 14:50:14 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

output similar to what wireshark does

Do you mean Src port (unresolved) and Dest port (unresolved) columns?

If so, you can print columns with tshark:

Column names may be used prefixed with "_ws.col."

The column names are not intuitive but can be found in epan/column.c:

    { COL_UNRES_DST_PORT, "Dest port (unresolved)" },
...
    { COL_UNRES_SRC_PORT, "Src port (unresolved)" },

The columns will need to exist in the profile you are using with tshark.
You could add them to a new profile and tell tshark use it with the -C option:

-C <configuration profile=""> Run with the given configuration profile.

~$ tshark -r tcptst.pcap -T fields -e tcp.srcport -e _ws.col.unres_src_port -e _ws.col.unres_dst_port
443     443     18082
443     443     18082
443     443     18082
Chuckc's avatar
3k
Chuckc
answered 2023-07-31 12:52:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer