Wireshark

  • Riverbed Technology
  • WinPcap
the world's foremost network protocol analyzer
  • Wireshark
    • About
    • Download
    • Blog
  • Get Help
    • Ask a Question
    • FAQs
    • Documentation
    • Mailing Lists
    • Online Tools
    • Wiki
    • Bug Tracker
  • Develop
    • Get Involved
    • Developer's Guide
    • Browse the Code
    • Latest Builds

Wireshark-users: [Wireshark-users] SMTP and tshark fields

Date Index Thread Index Other Months All Mailing Lists
Date Prev Date Next Thread Prev Thread Next


From: spiffy pickle <spiffypickle@xxxxxxxxx>
Date: Wed, 7 Oct 2009 12:01:34 -0400

Hello Everyone,
   I am trying to extract attachment filenames from SMTP streams using the '-T fields' option. The problem is that there are multiple smtp.req.commands, so most of the time instead of seeing the filename in the output I see base64. The tshark command I'm using is:
tshark -r example.pcap -R 'smtp.req.command contains "filename" || smtp.req.parameter contains "filename"' -T fields -e ip.src -e ip.dst -e smtp.req.parameter -e smtp.req.command

I'm using a perl one-liner right now to get the filename without using -T fields but was wondering if there was a way to get tshark to output it.
Any suggestions?


Thanks,
   Harley
  • Prev by Date: [Wireshark-users] DPNSS dissector C/R bit
  • Next by Date: Re: [Wireshark-users] Custom Columns & combining filters
  • Previous by thread: [Wireshark-users] DPNSS dissector C/R bit
  • Next by thread: [Wireshark-users] VoIP Calls & old E1 telephony protocols
  • Index(es):
    • Date
    • Thread

Wireshark and the "fin" logo are registered trademarks of the Wireshark Foundation