Wireshark mailing list archives
SMTP and tshark fields
From: spiffy pickle <spiffypickle () gmail com>
Date: Wed, 7 Oct 2009 12:01:34 -0400
Hello Everyone, I am trying to extract attachment filenames from SMTP streams using the '-T fields' option. The problem is that there are multiple smtp.req.commands, so most of the time instead of seeing the filename in the output I see base64. The tshark command I'm using is: tshark -r example.pcap -R 'smtp.req.command contains "filename" || smtp.req.parameter contains "filename"' -T fields -e ip.src -e ip.dst -e smtp.req.parameter -e smtp.req.command I'm using a perl one-liner right now to get the filename without using -T fields but was wondering if there was a way to get tshark to output it. Any suggestions? Thanks, Harley
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- SMTP and tshark fields spiffy pickle (Oct 07)