Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: Re: [Wireshark-users] Parse fields from packets

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: "Jason Bush" <jbush82@xxxxxxxxx>
Date: Fri, 6 Jul 2007 22:36:30 -0500

Thanks for the information... I was able to use the pre-release in
order to export the fields I was looking for.

This new feature has of course brought on another question. I am
particularly interested in using the '-E separator' option... is there
a way to use this and have multiple characters separate the fields
(rather than one)?

I've tried quoting (single and double) what I'd like, but it only
takes the first character of whatever I pass to it.

tshark -i eth0 -l -V port 80 -E separator=' |' -e http.host -e
http.request.uri -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport
-Tfields

Notice the space before the pipe... I'd really like to be able to do
this.  Any idea if this is possible?


On 6/23/07, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:

On Sat, Jun 23, 2007 at 01:46:35PM -0500, Jason Bush wrote:

> The above provides me with the fourth frame of each TCP communication
> on port 80, I then need to parse out the host, GET statement, and some
> other information.  Is there an easy way of providing this information
> in standard out, or is this something that I will have to feed the
> frame data to a script/program to parse the information?

You can if you're using version 0.99.6 (see below) or the latest SVN
tree.  Check out the -T fields option along with the -e <field name>
option and optionally the -E field in the man page.

For example:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

sfisher@shadow:/usr/local/src/wireshark>./tshark -R "http.request.method
== GET" -r ~/captures/http.pcap -T fields -e http.host -e
http.request.uri -E headers=y

sfisher@shadow:/usr/local/src/wireshark>./tshark -R "http.request.method
== GET" -r ~/captures/http.pcap -T fields -e http.host -e
http.request.uri -E header=y

http.host       http.request.uri
www.wireshark.org       /
www.wireshark.org       /favicon.ico
www.wireshark.org       /js/common.js

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Version 0.99.6 is in pre-release right now and can be downloaded from:

http://www.wireshark.org/download/prerelease/wireshark-0.99.6pre1.tar.gz
http://www.wireshark.org/download/prerelease/wireshark-0.99.6pre1.u3p
http://www.wireshark.org/download/prerelease/wireshark-setup-0.99.6pre1.exe


Steve
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
  • Follow-Ups:
    • Re: [Wireshark-users] Parse fields from packets
      • From: Stephen Fisher
    • Re: [Wireshark-users] Parse fields from packets
      • From: Jeroen Eeuwes
  • Prev by Date: Re: [Wireshark-users] RTP Stream Analyses [Marker Bit]
  • Next by Date: Re: [Wireshark-users] Parse fields from packets
  • Previous by thread: Re: [Wireshark-users] Wireshark-users Digest, Vol 14, Issue 6
  • Next by thread: Re: [Wireshark-users] Parse fields from packets
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation