Wireshark · Wireshark-users: [Wireshark-users] Using tshark to extract empty fields from pcap files

Wireshark-users: [Wireshark-users] Using tshark to extract empty fields from pcap files

From: "Mark Sass" <thesassman@xxxxxxxxxxx>

Date: Wed, 26 Mar 2008 16:06:50 -0500

All,

I am trying to extract fields from pcap files using tshark. I am currently using a format like this:

tshark -r pcapfile -R "tcp.port eq xxx" -Tfields -e field1 -e field2

I don't see the fields I wanted listed on the wireshark display filter reference listing, and when looking at the pcap files after conversion to PDML, the fields show up like this:

I can extract the data from pdml since I can use regular expressions in python to retreieve it, but I would rather get it from the pcap file instead of having to convert it to pdml and extract it. Any way I can do this using tshark at the command line?

Thanks,

Mark, thesassman@xxxxxxxxxxx

Follow-Ups:
- Re: [Wireshark-users] Using tshark to extract empty fields from pcap files
  - From: Stephen Fisher

Prev by Date: Re: [Wireshark-users] How to get rid of "TCP segment of a reassembled PDU" messages?
Next by Date: [Wireshark-users] Help tcp out of order duplicate
Previous by thread: Re: [Wireshark-users] How to get rid of "TCP segment of a reassembled PDU" messages?
Next by thread: Re: [Wireshark-users] Using tshark to extract empty fields from pcap files
Index(es):
- Date
- Thread