Revision history [back]
Best way to get just one packet
I want to extract some information from a pcap file that was generated without any filter.
But, all I need to extract that info is one frame.
What I'm currently doing is something like this:
good_frame=$(tshark -r file.pcap -Y 'filter expression' -T fields -e frame.number | head -n1)
tshark -r file.pcap -Y 'frame.number=="$good_frame"' -T fields -e desired.field1 -e desired.field2
Is there a better way to do it?
I was thinking something like:
tshark -r file.pcap -Y 'filter expression' -c 1 -w - | tshark - -T fields -e desired.field1 -e desired.field2