Wireshark mailing list archives
Re: Reporting with Wireshark
From: "j.snelders" <j.snelders () telfort nl>
Date: Wed, 13 Jul 2011 21:52:35 +0200
Hi Jacob, -T fields $ tshark -r test.pcap -R "frame.number<40" -T fields -e frame.number -e frame.time -e frame.time_delta -e frame.time_delta_displayed -e frame.time_relative -E header=y You can use -o column.format to print other columns: $ tshark -r test.pcap -R "frame.number<40" -o column.format:""No.","%m", "Time", "%t", "Time", "%Yt", "Time", "%Tt", "Time", "%Rt", "Source", "%s", "Destination", "%d", "Protocol", "%p", "tcp.port", "%Cus:tcp.port", "udp.port", "%Cus:udp.port", "Len", "%L", "Info","%i"" -T psml For time formats take a look at: http://anonsvn.wireshark.org/wireshark/trunk/epan/column.c "%Yt", /* 1) COL_ABS_DATE_TIME */ "%At", /* 2) COL_ABS_TIME */ "%Tt", /* 11) COL_DELTA_TIME */ "%dct", /* 12) COL_DELTA_CONV_TIME */ "%Gt", /* 13) COL_DELTA_TIME_DIS */ "%Rt", /* 49) COL_REL_TIME */ "%rct", /* 50) COL_REL_CONV_TIME */ "%t", /* 58) COL_CLS_TIME */ Hope this helps Joke On Mon, 11 Jul 2011 15:07:40 -0400 Abel, Jacob wrote:
Hello all, I'm using Wireshark to dump out capture files at regular intervals. I'm going to merge the in and out traffic together with mergecap and then I want to process the data with tshark. I only need basic information, but the PSML format doesn't provide quite enough. I need port numbers in addition to that basically. I've been trying to sort of emulate the PSML output, but need help with the filters. There are way too many and searching doesn't really help. This is what I have so far: tshark -r test.pcap -T fields -E header=y -e ip.src -e ip.dst -e udp.port -e tcp.port -e frame.len > test.txt In addition to this information, I need the time (seconds, hh:mm:ss, doesn't matter) and the protocol, for starters. It would also be nice to see the info field as well, if it exists. Thanks in advance, Jacob
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- Reporting with Wireshark Abel, Jacob (Jul 11)
- Re: Reporting with Wireshark j.snelders (Jul 13)