Hi Jacob,
-T fields
$ tshark -r test.pcap -R "frame.number<40" -T fields -e frame.number -e frame.time
-e frame.time_delta -e frame.time_delta_displayed -e frame.time_relative
-E header=y
You can use -o column.format to print other columns:
$ tshark -r test.pcap -R "frame.number<40" -o column.format:""No.","%m",
"Time", "%t", "Time", "%Yt", "Time", "%Tt", "Time", "%Rt", "Source", "%s",
"Destination", "%d", "Protocol", "%p", "tcp.port", "%Cus:tcp.port", "udp.port",
"%Cus:udp.port", "Len", "%L", "Info","%i"" -T psml
For time formats take a look at:
http://anonsvn.wireshark.org/wireshark/trunk/epan/column.c
"%Yt", /* 1) COL_ABS_DATE_TIME */
"%At", /* 2) COL_ABS_TIME */
"%Tt", /* 11) COL_DELTA_TIME */
"%dct", /* 12) COL_DELTA_CONV_TIME */
"%Gt", /* 13) COL_DELTA_TIME_DIS */
"%Rt", /* 49) COL_REL_TIME */
"%rct", /* 50) COL_REL_CONV_TIME */
"%t", /* 58) COL_CLS_TIME */
Hope this helps
Joke
On Mon, 11 Jul 2011 15:07:40 -0400 Abel, Jacob wrote:
>Hello all,
>
>
>
>I'm using Wireshark to dump out capture files at regular intervals. I'm
>going to merge the in and out traffic together with mergecap and then I
>want to process the data with tshark. I only need basic information, but
>the PSML format doesn't provide quite enough. I need port numbers in
>addition to that basically. I've been trying to sort of emulate the PSML
>output, but need help with the filters. There are way too many and
>searching doesn't really help. This is what I have so far:
>
>
>
>tshark -r test.pcap -T fields -E header=y -e ip.src -e ip.dst -e
>udp.port -e tcp.port -e frame.len > test.txt
>
>
>
>In addition to this information, I need the time (seconds, hh:mm:ss,
>doesn't matter) and the protocol, for starters. It would also be nice to
>see the info field as well, if it exists.
>
>
>
>Thanks in advance,
>
>Jacob
