Hi Paul (or Vincent;-))
On Sat, 29 Jan 2011 00:26:40 -0800 (PST) vincent paul wrote:
>Hi All,
>
>1) I try to use tshark to export a capture into csv file. I use -T fields
>-E
>separator=, -e tcp.time_delta....... I could see other column data but
not
>
>tcp.time_delta . Any idea.
No, but it does print the frame.time_delta
$ tshark -r test.pcap -T fields -E separator=, -e frame.number -e frame.time_delta
>2)What is the filter to use with tshark statistic to print out the duration
>of
>every TCP connections in a capture (as "duration" column in
>Statistics--->Conversation table).
You can use the following, but it does not print the duration:
$ tshark -r test.pcap -q -z conv,eth -z conv,ip -z conv,tcp
See the man-page for more information:
http://www.wireshark.org/docs/man-pages/tshark.html
>3) With "-T text" option, tshark will print out packets' summary line by
>line
>displayed by wireshark's GUI. Is there any way to select some column data
>not
>all columns, or additional column data (i.e. probably "-o option" but how
>to set
>up related filter/file...)
Here is an example:
$ tshark -i 3 -o column.format:""No.", "%m", "Time", "%t", "Source", "%s",
"Destination", "%d", "Protocol", "%p", "srcport", "%uS", "dstport", "%uD",
"len", "%L", "Info", "%i", "tcp.flags.ack", "%Cus:tcp.flags.ack", "tcp.flags.syn",
"%Cus:tcp.flags.syn""
$ tshark -r test.pcap -o column.format:""No.", "%m", "Time", "%t", "Source",
"%s", "Destination", "%d", "Protocol", "%p", "srcport", "%uS", "dstport",
"%uD", "len", "%L", "Info", "%i", "tcp.flags.ack", "%Cus:tcp.flags.ack",
"tcp.flags.syn", "%Cus:tcp.flags.syn""
My best
Joke
