tshark outputting all fields?
Just stumbled across:
tshark -T pdml
which is exactly what I need:
<packet>
<proto name="geninfo" pos="0" showname="General information" size="173">
<field name="num" pos="0" show="323" showname="Number" value="143" size="173"/>
<field name="len" pos="0" show="173" showname="Frame Length" value="ad" size="173"/>
<field name="caplen" pos="0" show="173" showname="Captured Length" value="ad" size="173"/>
<field name="timestamp" pos="0" show="Aug 7, 2011 16:16:13.579504000 EST" showname="Captured Time" value="1312697773.579504000" size="173"/>
</proto>
<proto name="frame" showname="Frame 323: 173 bytes on wire (1384 bits), 173 bytes captured (1384 bits)" size="173" pos="0">
<field name="frame.time" showname="Arrival Time: Aug 7, 2011 16:16:13.579504000 EST" size="0" pos="0" show="Aug 7, 2011 16:16:13.579504000"/>
... etc.
It includes the Wireshark filter name, as well as all the fields that are included in the packet.
Update: This is quite slow, and hacking up tshark.c
so -V
prints out the abbrev
instead of the name
in the header_field_info *hfinfo;
does the trick too. I should probably contribute this an a option when I get the chance.
gak
Updated on July 29, 2022Comments
-
gak almost 2 years
Is it possible to get
tshark
output every field (within the packet) using the-T fields
option, or similar?e.g. For every field in the packet/reconstruction, I would like something like this:
eth.src:f2:3c:91:96:fd:09,ip.src:1.2.3.4,tcp.dst_port:80,http.request.uri:/index.html
(The comma could be replaced with a
\xff
to make parsing better when values contain commas.)I realise there is the
-e
option but it seems that I would have to put in every single possible field in the command line. On top of that, only a small fraction of fields will be used in each packet, which makes for a lot of data to parse.I currently plan to use the
tshark -V
option and parse that, but ideally I would like more machine style terms such ashttp.request.uri
instead of "human readable" e.g.:Hypertext Transfer Protocol GET /main.php HTTP/1.1\r\n [Expert Info (Chat/Sequence): GET /main.php HTTP/1.1\r\n] [Message: GET /main.php HTTP/1.1\r\n] [Severity level: Chat] [Group: Sequence] Request Method: GET Request URI: /main.php
-
langiac almost 6 yearshow hack up tshark.c? Can u guild or example for me? Thanks