Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: Re: [Wireshark-users] Parse fields from packets

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "Jason Bush" <jbush82@xxxxxxxxx>
Date: Fri, 6 Jul 2007 22:36:30 -0500
Thanks for the information... I was able to use the pre-release in
order to export the fields I was looking for.

This new feature has of course brought on another question. I am
particularly interested in using the '-E separator' option... is there
a way to use this and have multiple characters separate the fields
(rather than one)?

I've tried quoting (single and double) what I'd like, but it only
takes the first character of whatever I pass to it.

tshark -i eth0 -l -V port 80 -E separator=' |' -e http.host -e
http.request.uri -e ip.src -e ip.dst -e tcp.srcport -e tcp.dstport
-Tfields

Notice the space before the pipe... I'd really like to be able to do
this.  Any idea if this is possible?


On 6/23/07, Stephen Fisher <stephentfisher@xxxxxxxxx> wrote:

On Sat, Jun 23, 2007 at 01:46:35PM -0500, Jason Bush wrote:

> The above provides me with the fourth frame of each TCP communication
> on port 80, I then need to parse out the host, GET statement, and some
> other information.  Is there an easy way of providing this information
> in standard out, or is this something that I will have to feed the
> frame data to a script/program to parse the information?

You can if you're using version 0.99.6 (see below) or the latest SVN
tree.  Check out the -T fields option along with the -e <field name>
option and optionally the -E field in the man page.

For example:

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

sfisher@shadow:/usr/local/src/wireshark>./tshark -R "http.request.method
== GET" -r ~/captures/http.pcap -T fields -e http.host -e
http.request.uri -E headers=y

sfisher@shadow:/usr/local/src/wireshark>./tshark -R "http.request.method
== GET" -r ~/captures/http.pcap -T fields -e http.host -e
http.request.uri -E header=y

http.host       http.request.uri
www.wireshark.org       /
www.wireshark.org       /favicon.ico
www.wireshark.org       /js/common.js

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Version 0.99.6 is in pre-release right now and can be downloaded from:

http://www.wireshark.org/download/prerelease/wireshark-0.99.6pre1.tar.gz
http://www.wireshark.org/download/prerelease/wireshark-0.99.6pre1.u3p
http://www.wireshark.org/download/prerelease/wireshark-setup-0.99.6pre1.exe


Steve
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube