Tuesday, May 11, 2010

Producing greppable output with tshark

Tshark is the command-line cousin of open-source packet capturing software - Wireshark. The trick is to use the '-e' and '-Tfields' parameters to get the desired fields. The names of the fields can be found by opening the 'input.pcap' file with wireshark and clicking "+expression" button next to filter text box.


tshark -e frame.time_relative -e frame.number -e frame.len -e ip.src -e ip.dst -e dccp.ccval -e dccp.type -e dccp.seq -e ip.len -Tfields -r input.pcap