First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Tshark command to output the original source and destination IPs of an icmp.type==3 code==4 packet.

I want to use a Tshark command to pick out the original icmp source and destination ip and dump it into a text file:

Example (shortened):

No.     Time                          Source                Destination           Protocol SrcPrt DstPrt Length Info
      1 2019-02-26 15:33:43.297203    10.74.192.78          192.168.128.112       ICMP     34945  443    590    Destination unreachable (Fragmentation needed)

Internet Protocol Version 4, Src: 10.74.192.78, Dst: 192.168.128.112
Internet Control Message Protocol
    Type: 3 (Destination unreachable)
    Code: 4 (Fragmentation needed)
    Checksum: 0x8a3c [correct]
    [Checksum Status: Good]
    Unused: 0000
    MTU of next hop: 1280
    Internet Protocol Version 4, Src: 192.168.128.112, Dst: 36.92.190.198 <== I want these IP addresses dumped to a text file.

What Tshark command can I use to read in multiple files and only output the text source and IPs mentioned above?

Cheers,

wbenton's avatar
1
wbenton
asked 2019-03-02 04:17:05 +0000
Guy Harris's avatar
19.9k
Guy Harris
updated 2019-03-02 08:53:09 +0000
edit flag offensive 0 remove flag close merge delete

Comments

It's the second instance of tcp.src & tcp.dst that I'm interested in... not the first instance. The one in the ICMP header.

wbenton's avatar wbenton (2019-03-02 04:42:54 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

(Presumably you mean "ip.src" and "ip.dst", not "tcp.src" and "tcp.dst".)

To quote the tshark man page's description of the -T flag:

   −T  ek|fields|json|jsonraw|pdml|ps|psml|tabs|text
   Set the format of the output when viewing decoded packet data.  The
   options are one of:

    ...

   fields The values of fields specified with the −e option, in a form
   specified by the −E option.  For example,

     tshark −T fields −E separator=, −E quote=d

   would generate comma‐separated values (CSV) output suitable for
   importing into your favorite spreadsheet program.

so you want -T fields.

To quote its description of the -e flag:

   −e  <field>
   Add a field to the list of fields to display if −T
   ek|fields|json|pdml is selected.  This option can be used multiple
   times on the command line.  At least one field must be provided if
   the −T fields option is selected. Column names may be used prefixed
   with "_ws.col."

   Example: tshark −e frame.number −e ip.addr −e udp −e _ws.col.Info

   Giving a protocol rather than a single field will print multiple
   items of data about the protocol as a single field.  Fields are
   separated by tab characters by default.  −E controls the format of
   the printed fields.

so you'll want -e ip.src and -e ip.dst.

And to quote its description of the -E flag:

   −E  <field print option>
   Set an option controlling the printing of fields when −T fields is
   selected.

   Options are:

    ...

   occurrence=f|l|a Select which occurrence to use for fields that
   have multiple occurrences.  If f the first occurrence will be used,
   if l the last occurrence will be used and if a all occurrences will
   be used (this is the default).

    ...

The second occurrence of the ip.src and ip.dst fields is the last occurrence, so you want the last occurrence - -E occurrence=l. (Lower-case "l", not the digit "1".)

So you'd want

tshark -T fields -E occurrence=l -e ip.src -e ip.dst
Guy Harris's avatar
19.9k
Guy Harris
answered 2019-03-02 09:14:47 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Yes, I was looking for ip.src and ip.dst and your final answer [tshark -r icmp.code4.pcapng -T fields -E occurrence=l -e ip.src -e ip.dst] did the trick.

Thank you so very much.

wbenton's avatar wbenton (2019-03-03 08:52:35 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer