Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Using tshark to extract empty fields from pcap files

From: "Mark Sass" <thesassman@xxxxxxxxxxx>
Date: Thu, 27 Mar 2008 09:36:42 -0500
I am not officially on the list, so I am not so sure where to go to reply to this reply.  I am basically trying to capture the payload of smtp packets i.e. the mail message, and I am trying to capture the DNS responses where it shows the domain name and IP address to which it resolved.  I am looking for the part of the DNS packet that has "a1509.g.akamai.net: type A, class IN, addr 72.246.98.65" - as shown in the example below from a PDML file.  It has field = "" show "a1509.g.akamai.net: type A, class IN, addr 72.246.98.65", but I cannot figure out how to extract this data using tshark at a command line.  Any thoughts?

< snipped all frame, udp, etc stuff>

<proto name="dns" showname="Domain Name System (response)" size="68" pos="42">

<field name="dns.response_to" showname="Request In: 5567" size="0" pos="42" show="5567"/>

<field name="dns.time" showname="Time: 0.014816000 seconds" size="0" pos="42" show="0.014816000"/>

<field name="dns.id" showname="Transaction ID: 0x1c20" size="2" pos="42" show="0x1c20" value="1c20"/>

<field name="dns.flags" showname="Flags: 0x8400 (Standard query response, No error)" size="2" pos="44" show="0x8400" value="8400">

<field name="dns.flags.response" showname="1... .... .... .... = Response: Message is a response" size="2" pos="44" show="1" value="1" unmaskedvalue="8400"/>

<field name="dns.flags.opcode" showname=".000 0... .... .... = Opcode: Standard query (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.authoritative" showname=".... .1.. .... ... = Authoritative: Server is an authority for domain" size="2" pos="44" show="1" value="1" unmaskedvalue="8400"/>

<field name="dns.flags.truncated" showname=".... ..0. .... ... = Truncated: Message is not truncated" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.recdesired" showname=".... ...0 .... ... = Recursion desired: Don&apos;t do query recursively" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.recavail" showname=".... .... 0... .... = Recursion available: Server can&apos;t do recursive queries" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.authenticated" showname=".... .... ..0. ... = Answer authenticated: Answer/authority portion was not authenticated by the server" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

<field name="dns.flags.rcode" showname=".... .... .... 0000 = Reply code: No error (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/>

</field>

<field name="dns.count.queries" showname="Questions: 1" size="2" pos="46" show="1" value="0001"/>

<field name="dns.count.answers" showname="Answer RRs: 2" size="2" pos="48" show="2" value="0002"/>

<field name="dns.count.auth_rr" showname="Authority RRs: 0" size="2" pos="50" show="0" value="0000"/>

<field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="52" show="0" value="0000"/>

<field name="" show="Queries" size="24" pos="54" value="056131353039016706616b616d6169036e65740000010001">

<field name="" show="a1509.g.akamai.net: type A, class IN" size="24" pos="54" value="056131353039016706616b616d6169036e65740000010001">

<field name="dns.qry.name" showname="Name: a1509.g.akamai.net" size="20" pos="54" show="a1509.g.akamai.net" value="056131353039016706616b616d6169036e657400"/>

<field name="dns.qry.type" showname="Type: A (Host address)" size="2" pos="74" show="0x0001" value="0001"/>

<field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="76" show="0x0001" value="0001"/>

</field>

</field>

<field name="" show="Answers" size="32" pos="78" value="c00c0001000100000014000448f66219c00c0001000100000014000448f66241">

<field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.25" size="16" pos="78" value="c00c0001000100000014000448f66219">

<field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" pos="78" show="a1509.g.akamai.net" value="c00c"/>

<field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="80" show="0x0001" value="0001"/>

<field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" show="0x0001" value="0001"/>

<field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" pos="84" show="20" value="00000014"/>

<field name="dns.resp.len" showname="Data length: 4" size="2" pos="88" show="4" value="0004"/>

<field name="" show="Addr: 72.246.98.25" size="4" pos="90" value="48f66219"/>

</field>

<field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.65" size="16" pos="94" value="c00c0001000100000014000448f66241">

<field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" pos="94" show="a1509.g.akamai.net" value="c00c"/>

<field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="96" show="0x0001" value="0001"/>

<field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="98" show="0x0001" value="0001"/>

<field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" pos="100" show="20" value="00000014"/>

<field name="dns.resp.len" showname="Data length: 4" size="2" pos="104" show="4" value="0004"/>

<field name="" show="Addr: 72.246.98.65" size="4" pos="106" value="48f66241"/>

</field>

</field>

</proto>

</packet>

 
 
On Wed, Mar 26, 2008 at 04:06:50PM -0500, Mark Sass wrote:

> I am trying to extract fields from pcap files using tshark.  I am
> currently using a format like this:
>
> tshark -r pcapfile -R "tcp.port eq xxx" -Tfields -e field1 -e field2
>
> I don't see the fields I wanted listed on the wireshark display filter
> reference listing, and when looking at the pcap files after conversion
> to PDML, the fields show up like this:

Which field(s) are you trying to extract?


Steve