Wireshark-users: Re: [Wireshark-users] Wireshark GUI in tshark
From: NADEZHDA PLOTNIKOVA <nadek@xxxxxxxxxxxxxx>
Date: Thu, 25 Sep 2008 15:53:37 +0000 (GMT)
Thank you a lot !! I've found some useful options in tshark doc already (and came over with the "partually satisfying" comm line) but a real life expertise is much more appreciated and valuable! I used new developer's version of WireShark 1.1.0 and it took me  15 minutes to convert the cap file to a text format! that's why I have switched to tshark; also it is much more convinient to use tshark in overnight tests...which I am currently to write:)
Will continue using tshark!!!
--- On Wed, 24/9/08, j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx> wrote:
From: j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx>
Subject: Re: [Wireshark-users] Wireshark GUI in tshark
To: wireshark-users@xxxxxxxxxxxxx
Date: Wednesday, 24 September, 2008, 8:58 PM

On Tue, 23 Sep 2008 17:30:59 +0000 (GMT) NADEZHDA PLOTNIKOVA wrote:

> I would like to use tshark for my data capturing but so far used Wireshark
GUI only. 
> so I need some advise on how to do the following (to start with, then
I'll
get the idea). 
> Basically i need the script for the following:
> WireShark->Capture->Options
>    Capture---
>    Interface ? ethXX
>    Link layer ? Ethernet
>    Capture files----
>    the directory and file name to put data in
> Stop capture----> 	 After 20 sec 
> Next is to press start; 

Use tshark -D to print a list of interfaces
$ tshark -D
1. \Device\NPF_GenericDialupAdapter (Adapter for generic dialup and VPN
capture)
2. \Device\NPF_{059B8888-3D72-4D13-8BC4-7686E3569DDB} (Broadcom
NetXtreme
Gigabit Ethernet Driver (Microsoft's Packet Scheduler) )
3. \Device\NPF_{96F446AD-9709-45DA-95C6-1B92778311A5} (VMware Virtual
Ethernet
Adapter)
4. \Device\NPF_{CAA815AD-EB16-4186-8C1B-A04E324963AD} (VMware Virtual
Ethernet
Adapter)

$ tshark -i 2 -a duration:20 -w file.cap
-i 2 = select interface
-a duration:20 = stop after 20 seconds
-w file.cap = set the output filename


> Then my workload finished and I need to press stop button on main panel
on WireShark
> After that I need to convert file (or, if tshark supports text output -
that'd be fine!):
> WS->File->Export
>    Browse and define NEW file name a-la oldFile.txt
>    Packet range---
>    All packets
>    Packet format----
>    Summary lane ON
>    Packet details ON
>    As displayed or expanded
>    Packet bytes ON

$ tshark -r file.cap > file.txt
$ tshark -r file.cap -T text > file.txt
Output: summary lines

$ tshark -r file.cap -T text -V > file.txt
Output: packet details

$ tshark -r file.cap -T text -x > file.txt
Output: summary lines and packet bytes

$ tshark -r file.cap -T text -Vx > file.txt
Output: packet details and packet bytes

It's a bit strange. There are various ways to print the summary lines. 
You can use the options -V and -x to add output of the packet details and
bytes.
In case of *-T text -x* the summary lines are printed.
In case of *-T text -Vx* the summary lines are not printed.

BTW I'm on version TShark 1.0.3 (SVN Rev 26134)

HTH
Joan

       


_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users