On Mon, Mar 17, 2008 at 03:47:57PM -0400, Rob MacKenzie wrote:
> Great app, quick question.
>
> I am using tshark as part of a larger program, and I need the packet
> summaries from a pcap file.
>
> I am getting the format I need by piping out from
>
> tshark -r myfile.pcap -Ttext > outfile.txt
>
> My questions are:
> 1: is there no way to get tshark to output not to standard out but to a
> file, as the -w option just outputs the pcap file again.
At the moment, no. Is there an advantage over using the ">" redirection?
But why not save the binary data to file and use "tshark -r <file> |" in
your program to read from file? It gives much more flexibility?
> 2: The format of the -Ttext output is dertermined by the columns in
> Wireshark. My app needs to run smoothly even if Wireshark is opened and
> configuration changed. Where are these options stored on a windows
> machine? On a linux machine?
The preferences are saved in the file "preferences" in the directory
"c:\Documents and Settings\<user>\Application Data\Wireshark\" under
windows and <home>/.wireshark under linux.
You can override the column settings from your program by using:
tshark -o column.format:'"No.", "%m", "Time", "%t", "Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD", "len", "%L", "Protocol", "%p", "Info", "%i"' -Ttext ...
(use the format you need here!)
Another way is to use the option "-T fields -e <field> -e <field>..."
instead. That will give you control over the fields in the output. And
since they are just values seperated by a TAB (or user defined seperator),
your program is able to parse the output more easily.
Hope this helps,
Cheers,
Sake