print literal test with -T fields

Discussion:

Mathias Koerber

2014-04-28 05:13:31 UTC

Is there a way in tshark(1) to include some literal text
between printer fields names?

I'm trying to do something like

-T fields -e 'trunc:' -e dns.flags.truncated

ie, print a sizeable list of fields I am interested in, but since many
(boolean) fields look the same prefix them with their names..

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Mathias Koerber

2014-04-28 05:29:05 UTC

Permalink

I have a rather large pcap file I am trying to extract
relevant frames from using tshark.

using

# tshark -2 -n -r infile -R '(filter)' -T fields -e frame.number

yields frame-numbers starting from 1 anr continuously increasing.
So apparently this counts the frames that matched the display filter.

I would like to print the actual frame-number from the input file,
so that I can later find the frames in their original context.

How to do that?

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Evan Huus

2014-04-28 11:39:53 UTC

Permalink

Post by Mathias Koerber
I have a rather large pcap file I am trying to extract
relevant frames from using tshark.
using
# tshark -2 -n -r infile -R '(filter)' -T fields -e frame.number
yields frame-numbers starting from 1 anr continuously increasing.
So apparently this counts the frames that matched the display filter.
I would like to print the actual frame-number from the input file,
so that I can later find the frames in their original context.
How to do that?

If you're using tshark 1.10 or later, use the -Y 'filter' flag instead
of -R 'filter'.

Evan
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users-IZ8446WsY0/***@public.gmane.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request-IZ8446WsY0/***@public.gmane.org?subject=unsubscribe

Continue reading on narkive:

Search results for 'print literal test with -T fields' (Questions and Answers)

replies

Do you believe in GOD and the "BIG BANG">?

started 2006-08-16 18:58:48 UTC

religion & spirituality

replies

BIBLE IS FALSEHOOD I SWEAR .......Christian,s are you blind ? iff not read the whole question then ans me.?

started 2006-08-05 10:46:39 UTC

religion & spirituality

replies

There are so many contradictions in the Bible...?