Wireshark-users: Re: [Wireshark-users] tshark output
From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Mon, 23 Mar 2009 20:52:12 -0700

On Mar 23, 2009, at 8:24 PM, Stephen Fisher wrote:

Try redirecting the output of the first command to the file.  The -w
option is for writing raw packet data in libpcap format to a file.  To
quote the tshark man page:

If you want to write the decoded form of packets to a file, run TShark
 without the -w option, and redirect its standard output to the file
 (do not use the -w option).

At least with the top-of-tree SVN version of tshark, you can combine the two:

tshark -S -i eth0 -n port 68 -R 'bootp.type == 2' -o column.format:'"Source MAC","%hs"' -w /tmp/mac

"-S" says it should both print packet information to the standard output *and* write to the file specified in the "-w" option. (Obviously, specifying the standard output to the "-w" flag would be a Very Bad Idea in that case.)