Wireshark-users: [Wireshark-users] Betr: Re: wireshark extract specific field
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: j.snelders@xxxxxxxxxx
Date: Wed, 20 Aug 2008 09:30:59 +0200
On Tue, 19 Aug 2008 22:59:33 +0100 paritosh kulkarni wrote:
> Thanks Joan this command works but still it gives the protocol in protocol
number format.
> Is it the way oit shows or we can change it some other way.

Well, I've tried something else: custom columns:

$ tshark -o column.format:""No.", "%m", "Time", "%t", "Source", "%s", "Destinat
ion", "%d", "Protocol", "%p", "srcport", "%uS", "dstport", "%uD", "len",
"%L",
"tcp.flags.ack", "%Cus:tcp.flags.ack", "tcp.flags.syn", "%Cus:tcp.flags.syn""
-
r test.cap | head
  1   0.000000 00:0d:8d:66:86:ce -> ff:ff:ff:ff:ff:ff ARP   42
  2   0.000265 00:02:44:49:42:7b -> 00:0d:8d:66:86:ce ARP   60
  3   0.000278  192.168.1.4 -> 210.61.144.37 DNS 64120 53 76
  4   0.008086 210.61.144.37 -> 192.168.1.4  DNS 53 64120 380
  5   0.010454  192.168.1.4 -> 64.149.93.104 TCP 1090 80 62 Set Set
  6   0.025914 64.149.93.104 -> 192.168.1.4  TCP 80 1090 62 Set Set
  7   0.025976  192.168.1.4 -> 64.149.93.104 TCP 1090 80 54 Set Set
  8   0.032307  192.168.1.4 -> 64.149.93.104 HTTP 1090 80 481 Set Set
  9   0.044930 64.149.93.104 -> 192.168.1.4  TCP 80 1090 60 Set Set
 10   0.053650 64.149.93.104 -> 192.168.1.4  TCP 80 1090 1472 Set Set
													
* and Yes, you've got your protocol
** but it doesn't show the boolean value of the tcp.flags (just set or nothing)

BTW Wireshark gives the same result.

Grtz
Joan