Wireshark-users: Re: [Wireshark-users] Print wireshark option from command
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Tue, 16 Dec 2008 00:36:54 -0800

On Dec 16, 2008, at 12:07 AM, Hashmat Khan wrote:

Thanks.
But how do I get this kind of output:
117.97.37.213 217.1.176.55 CLEARCASE 600 371 0x39de (14814) 117.97.37.213 202.56.250.5 DNS 2420 53 0x39df (14815) 117.97.37.213 255.255.255.255 DHCP 68 67 0x39e0 (14816) 117.97.37.213 202.56.250.6 DNS 2420 53 0x39e1 (14817) 117.97.37.213 202.56.250.5 DNS 2420 53 0x39e2 (14818) 117.97.37.213 202.56.250.5 DNS 2420 53 0x39e3 (14819) 117.97.37.213 202.56.250.6 DNS 2420 53 0x39e4 (14820) 117.97.37.213 255.255.255.255 DHCP 68 67 0x39e5 (14821)

I want to print any source ip followed by any dest ip followed by protocol type followed by src port, dest port and finally ip header identification.

You can't get that with File -> Print in Wireshark, either, without changing the columns you display.

At least with top-of-tree or development-branch (1.1[.x]) Wireshark, you could get something similar with

./tshark -n -r ~/captures/dhcp-crap.pcap -o column.format:"Source","%s","Destination","%d","Protocol","%p","Source port","%S","Dest port","%D","IP ID","%Cus:ip.id"

on UN*X; the differences are that

	1) it'll print out column headings;

	2) it'll print only one space between columns;

	3) it'll print "->" between the source and destination addresses.

Note that:

for packets that *don't* have any IP addresses, it'll print lower- level (link-layer) addresses, if any;

for packets that don't have transport-layer ports or an IP ID, it'll just print spaces.