Menu
Is it possible to get tshark output every field (within the packet) using the -T fields option, or similar?
e.g. For every field in the packet/reconstruction, I would like something like this:
eth.src:f2:3c:91:96:fd:09,ip.src:1.2.3.4,tcp.dst_port:80,http.request.uri:/index.html
(The comma could be replaced with a \xff to make parsing better when values contain commas.)
I realise there is the -e option but it seems that I would have to put in every single possible field in the command line. On top of that, only a small fraction of fields will be used in each packet, which makes for a lot of data to parse.
I currently plan to use the tshark -V option and parse that, but ideally I would like more machine style terms such as http.request.uri instead of "human readable" e.g.:
Hypertext Transfer Protocol
GET /main.php HTTP/1.1\r\n
[Expert Info (Chat/Sequence): GET /main.php HTTP/1.1\r\n]
[Message: GET /main.php HTTP/1.1\r\n]
[Severity level: Chat]
[Group: Sequence]
Request Method: GET
Request URI: /main.php
795
TShark is the command line version of Wireshark. It works similarly to tcpdump but is capable of parsing hundreds of protocols directly. It is therefore very useful for in-depth protocol analysis.
Type tshark -D and tshark will list all the available interfaces. Note that not all the listed interfaces will be working. Type ifconfig to find working interfaces on your system. In my case, it's enp0s3.
Once you start capturing data, you'll see packets displayed in real-time, as shown below. And at any point, you can press Ctrl+C to stop from capturing packets. Like other popular data-network packet analyzer tools, such as tcpdump and Wireshark, Tshark uses the pcap library (libpcap) to capture packets.
Wireshark is a graphical application. tshark is that application without the GUI. (i.e. command line.) dumpcap , per Wireshark's documentation, is "a small program whose only purpose is to capture network traffic, while retaining advanced features like capturing to multiple files (since version 0.99.
Just stumbled across:
tshark -T pdml
which is exactly what I need:
<packet>
<proto name="geninfo" pos="0" showname="General information" size="173">
<field name="num" pos="0" show="323" showname="Number" value="143" size="173"/>
<field name="len" pos="0" show="173" showname="Frame Length" value="ad" size="173"/>
<field name="caplen" pos="0" show="173" showname="Captured Length" value="ad" size="173"/>
<field name="timestamp" pos="0" show="Aug 7, 2011 16:16:13.579504000 EST" showname="Captured Time" value="1312697773.579504000" size="173"/>
</proto>
<proto name="frame" showname="Frame 323: 173 bytes on wire (1384 bits), 173 bytes captured (1384 bits)" size="173" pos="0">
<field name="frame.time" showname="Arrival Time: Aug 7, 2011 16:16:13.579504000 EST" size="0" pos="0" show="Aug 7, 2011 16:16:13.579504000"/>
... etc.
It includes the Wireshark filter name, as well as all the fields that are included in the packet.
Update: This is quite slow, and hacking up tshark.c so -V prints out the abbrev instead of the name in the header_field_info *hfinfo; does the trick too. I should probably contribute this an a option when I get the chance.
184
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With