Wireshark-users: Re: [Wireshark-users] Print wireshark option from command
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: "Hashmat Khan" <hashmat.email@xxxxxxxxx>
Date: Wed, 17 Dec 2008 22:23:22 +0530
Thanks.

On Tue, Dec 16, 2008 at 2:06 PM, Guy Harris <guy@xxxxxxxxxxxx> wrote:

On Dec 16, 2008, at 12:07 AM, Hashmat Khan wrote:

> Thanks.
> But how do I get this kind of output:
> 117.97.37.213         217.1.176.55          CLEARCASE 600
> 371       0x39de (14814)
> 117.97.37.213         202.56.250.5          DNS      2420
> 53        0x39df (14815)
> 117.97.37.213         255.255.255.255       DHCP     68
> 67        0x39e0 (14816)
> 117.97.37.213         202.56.250.6          DNS      2420
> 53        0x39e1 (14817)
> 117.97.37.213         202.56.250.5          DNS      2420
> 53        0x39e2 (14818)
> 117.97.37.213         202.56.250.5          DNS      2420
> 53        0x39e3 (14819)
> 117.97.37.213         202.56.250.6          DNS      2420
> 53        0x39e4 (14820)
> 117.97.37.213         255.255.255.255       DHCP     68
> 67        0x39e5 (14821)
>
> I want to print any source ip followed by any dest ip followed by
> protocol type followed by src port, dest port and finally ip header
> identification.

You can't get that with File -> Print in Wireshark, either, without
changing the columns you display.

At least with top-of-tree or development-branch (1.1[.x]) Wireshark,
you could get something similar with

       ./tshark -n -r ~/captures/dhcp-crap.pcap -o
column.format:"Source","%s","Destination","%d","Protocol","%p","Source
port","%S","Dest port","%D","IP ID","%Cus:ip.id"

on UN*X; the differences are that

       1) it'll print out column headings;

       2) it'll print only one space between columns;

       3) it'll print "->" between the source and destination addresses.

Note that:

       for packets that *don't* have any IP addresses, it'll print lower-
level (link-layer) addresses, if any;

       for packets that don't have transport-layer ports or an IP ID, it'll
just print spaces.
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe