Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 5968] tcp values are not printed in tshark with -T fields

Date: Sat, 28 May 2011 08:11:53 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5968

--- Comment #3 from Sake <sake@xxxxxxxxxx> 2011-05-28 08:11:52 PDT ---
(In reply to comment #2)
> (In reply to comment #1)
> > Are you sure the first five packets are TCP and not UDP?
> 
> Sake,thanks that is indeed the case!
> 
> Now these messages can be delivered over either TCP or UDP (SIP protocol), is
> there a possibility to get the port independent of TCP or UDP? 

That is not possible. Of course if there is a big demand for it, it could be
added, but...

> Or should one
> specify in that case both? Like:
> 
> tshark ....... -e ip.src -e tcp.srcport -e udp.srcport \
>   -e ip.dst -e tcp.dstport -e udp.dstport 

... the above works fine. If you do need to get the port in one column, you can
always pipe the output through a little awk script to combine the two into one.

Something like:

tshark ... -E separator=',' -T fields -e ip.src -e tcp.srcport -e udp.srcport
-e ip.dst -e tcp.dstport -e udp.dstport | awk -F,
'{printf("%s,%s,%s,%s\n",$1,$2==""?$3:$2,$4,$5==""?$6:$5)}'

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.