tshark outputting all fields?

wireshark pcap tshark
20,708

Just stumbled across:

tshark -T pdml

which is exactly what I need:

<packet>
  <proto name="geninfo" pos="0" showname="General information" size="173">
    <field name="num" pos="0" show="323" showname="Number" value="143" size="173"/>
    <field name="len" pos="0" show="173" showname="Frame Length" value="ad" size="173"/>
    <field name="caplen" pos="0" show="173" showname="Captured Length" value="ad" size="173"/>
    <field name="timestamp" pos="0" show="Aug  7, 2011 16:16:13.579504000 EST" showname="Captured Time" value="1312697773.579504000" size="173"/>
  </proto>
  <proto name="frame" showname="Frame 323: 173 bytes on wire (1384 bits), 173 bytes captured (1384 bits)" size="173" pos="0">
    <field name="frame.time" showname="Arrival Time: Aug  7, 2011 16:16:13.579504000 EST" size="0" pos="0" show="Aug  7, 2011 16:16:13.579504000"/>
    ... etc.

It includes the Wireshark filter name, as well as all the fields that are included in the packet.

Update: This is quite slow, and hacking up tshark.c so -V prints out the abbrev instead of the name in the header_field_info *hfinfo; does the trick too. I should probably contribute this an a option when I get the chance.

Share:
20,708
gak
Author by

gak

Updated on July 29, 2022

Comments

  • gak
    gak almost 2 years

    Is it possible to get tshark output every field (within the packet) using the -T fields option, or similar?

    e.g. For every field in the packet/reconstruction, I would like something like this:

    eth.src:f2:3c:91:96:fd:09,ip.src:1.2.3.4,tcp.dst_port:80,http.request.uri:/index.html

    (The comma could be replaced with a \xff to make parsing better when values contain commas.)

    I realise there is the -e option but it seems that I would have to put in every single possible field in the command line. On top of that, only a small fraction of fields will be used in each packet, which makes for a lot of data to parse.

    I currently plan to use the tshark -V option and parse that, but ideally I would like more machine style terms such as http.request.uri instead of "human readable" e.g.:

    Hypertext Transfer Protocol
    GET /main.php HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /main.php HTTP/1.1\r\n]
            [Message: GET /main.php HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /main.php
  • langiac
    langiac almost 6 years
    how hack up tshark.c? Can u guild or example for me? Thanks

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Export raw packet bytes in tshark, tcpdump, or similar?
How do I use tshark to print request-response pairs from a pcap file?
filtering by domain
TCP Server sends [ACK] followed by [PSH,ACK]
Use Tshark to view json data
Parsing pcap taken from wireshark file using - Java
How to filter packets with distinct source address in wireshark?
What's all this deploy.akamaitechnologies.com traffic?
How to use tshark or tcpdump to calculate bytes transmitted
CLI tool for analyzing pcap captures