Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] SMTP and tshark fields

From: spiffy pickle <spiffypickle@xxxxxxxxx>
Date: Wed, 7 Oct 2009 12:01:34 -0400
Hello Everyone,
   I am trying to extract attachment filenames from SMTP streams using the '-T fields' option. The problem is that there are multiple smtp.req.commands, so most of the time instead of seeing the filename in the output I see base64. The tshark command I'm using is:
tshark -r example.pcap -R 'smtp.req.command contains "filename" || smtp.req.parameter contains "filename"' -T fields -e ip.src -e ip.dst -e smtp.req.parameter -e smtp.req.command

I'm using a perl one-liner right now to get the filename without using -T fields but was wondering if there was a way to get tshark to output it.
Any suggestions?


Thanks,
   Harley