Wireshark-users: Re: [Wireshark-users] Wireshark-users_Digest,_Vol_22,_Issue_75
From: "赵新元" <zhaoxinyuan2000@xxxxxxx>
Date: Fri, 28 Mar 2008 11:24:09 +0800
|
Thank you very much!
#tshark -i 3 -o column.format:'"Info",
"%i"'
I use this command ,but it cann't work!
# tshark: Invalid -o flag
"column.format:'Info,"
This is the error message.
Note: My OS is Windows Xp Sp2,Tshark Version is
0.99.6a<SVN Rev 22276>
2008-03-28
赵新元
发件人:
wireshark-users-request@xxxxxxxxxxxxx
发送时间: 2008-03-27 22:50:17
收件人:
wireshark-users@xxxxxxxxxxxxx
抄送:
主题:
Wireshark-users_Digest,_Vol_22,_Issue_75
Send Wireshark-users mailing list submissions to
wireshark-users@xxxxxxxxxxxxx
To subscribe or unsubscribe via the World Wide Web, visit
or, via email, send a message with subject or body 'help' to
wireshark-users-request@xxxxxxxxxxxxx
You can reach the person managing the list at
wireshark-users-owner@xxxxxxxxxxxxx
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Wireshark-users digest..."
Today's Topics:
1. Howto: set some column to print? ( 赵新元 )
2. H1 Protocol Decode (Kevin R. DeYoung)
3. Re: Using tshark to extract empty fields from
pcap files
(Mark Sass)
4. Re: Howto: set some column to print? (Rob MacKenzie)
----------------------------------------------------------------------
Message: 1
Date: Thu, 27 Mar 2008 20:20:12 +0800
From: " 赵新元 " <zhaoxinyuan2000@xxxxxxx >
Subject: [Wireshark-users] Howto: set some column to print?
To: "wireshark-users" <wireshark-users@xxxxxxxxxxxxx
>
Message-ID: <200803272020125310550@xxxxxxx >
Content-Type: text/plain; charset="gb2312"
Hi,
Jaap, Thank you very much!
Can you tell me how to set some column to print?
#TShark -i 3 -e tcp.port -T fields //It can print port
#TShark -i 3 -e frame.number //It can print frame number
Now I want to print info column(In wireshark window display No,Time,Source,Destination,Protocol,Info, I want the last column, only the last column),Can you help me?
Can you tell me how to set the command line params ? Or Where I can find the doc?
Thank you !!!
2008-03-27
赵新元
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 2
Date: Thu, 27 Mar 2008 09:09:43 -0500
From: "Kevin R. DeYoung" <deyoung@xxxxxxxxx
>
Subject: [Wireshark-users] H1 Protocol Decode
To: <wireshark-users@xxxxxxxxxxxxx >
Message-ID: <004a01c89014$34922dc0$f9bc000a@xxxxxxxxx >
Content-Type: text/plain; charset="utf-8"
I'm looking for information from anyone who has been able to successfully
use the H1 Dissector that comes with WireShark. I am viewing transmissions
between devices that are supposed to be using the Siemens H1 protocol riding
on the COTP transport. COTP is decoded well but the H1 dissector doesn't
seem to be decoding the H1 components contained within the COTP frame.
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 3
Date: Thu, 27 Mar 2008 09:36:42 -0500
From: "Mark Sass" <thesassman@xxxxxxxxxxx >
Subject: Re: [Wireshark-users] Using tshark to extract empty fields
from pcap files
To: <wireshark-users@xxxxxxxxxxxxx >
Message-ID: <BAY104-DAV12120783B465DDFB3DA8D7C6FE0@xxxxxxx
>
Content-Type: text/plain; charset="iso-8859-1"
I am not officially on the list, so I am not so sure where to go to reply to this reply. I am basically trying to capture the payload of smtp packets i.e. the mail message, and I am trying to capture the DNS responses where it shows the domain name and IP address to which it resolved. I am looking for the part of the DNS packet that has "a1509.g.akamai.net: type A, class IN, addr 72.246.98.65" - as shown in the example below from a PDML file. It has field = "" show "a1509.g.akamai.net: type A, class IN, addr 72.246.98.65", but I cannot figure out how to extract this data using tshark at a command line. Any thoughts?
< snipped all frame, udp, etc stuff
>
<proto name="dns" showname="Domain Name System (response)" size="68" pos="42"
>
<field name="dns.response_to" showname="Request In: 5567" size="0" pos="42" show="5567"/
>
<field name="dns.time" showname="Time: 0.014816000 seconds" size="0" pos="42" show="0.014816000"/
>
<field name="dns.id" showname="Transaction ID: 0x1c20" size="2" pos="42" show="0x1c20" value="1c20"/
>
<field name="dns.flags" showname="Flags: 0x8400 (Standard query response, No error)" size="2" pos="44" show="0x8400" value="8400"
>
<field name="dns.flags.response" showname="1... .... .... .... = Response: Message is a response" size="2" pos="44" show="1" value="1" unmaskedvalue="8400"/
>
<field name="dns.flags.opcode" showname=".000 0... .... .... = Opcode: Standard query (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/
>
<field name="dns.flags.authoritative" showname=".... .1.. .... .... = Authoritative: Server is an authority for domain" size="2" pos="44" show="1" value="1" unmaskedvalue="8400"/
>
<field name="dns.flags.truncated" showname=".... ..0. .... .... = Truncated: Message is not truncated" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/
>
<field name="dns.flags.recdesired" showname=".... ...0 .... .... = Recursion desired: Don't do query recursively" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/
>
<field name="dns.flags.recavail" showname=".... .... 0... .... = Recursion available: Server can't do recursive queries" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/
>
<field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/
>
<field name="dns.flags.authenticated" showname=".... .... ..0. .... = Answer authenticated: Answer/authority portion was not authenticated by the server" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/
>
<field name="dns.flags.rcode" showname=".... .... .... 0000 = Reply code: No error (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/
>
</field >
<field name="dns.count.queries" showname="Questions: 1" size="2" pos="46" show="1" value="0001"/
>
<field name="dns.count.answers" showname="Answer RRs: 2" size="2" pos="48" show="2" value="0002"/
>
<field name="dns.count.auth_rr" showname="Authority RRs: 0" size="2" pos="50" show="0" value="0000"/
>
<field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="52" show="0" value="0000"/
>
<field name="" show="Queries" size="24" pos="54" value="056131353039016706616b616d6169036e65740000010001"
>
<field name="" show="a1509.g.akamai.net: type A, class IN" size="24" pos="54" value="056131353039016706616b616d6169036e65740000010001"
>
<field name="dns.qry.name" showname="Name: a1509.g.akamai.net" size="20" pos="54" show="a1509.g.akamai.net" value="056131353039016706616b616d6169036e657400"/
>
<field name="dns.qry.type" showname="Type: A (Host address)" size="2" pos="74" show="0x0001" value="0001"/
>
<field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="76" show="0x0001" value="0001"/
>
</field >
</field >
<field name="" show="Answers" size="32" pos="78" value="c00c0001000100000014000448f66219c00c0001000100000014000448f66241"
>
<field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.25" size="16" pos="78" value="c00c0001000100000014000448f66219"
>
<field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" pos="78" show="a1509.g.akamai.net" value="c00c"/
>
<field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="80" show="0x0001" value="0001"/
>
<field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" show="0x0001" value="0001"/
>
<field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" pos="84" show="20" value="00000014"/
>
<field name="dns.resp.len" showname="Data length: 4" size="2" pos="88" show="4" value="0004"/
>
<field name="" show="Addr: 72.246.98.25" size="4" pos="90" value="48f66219"/
>
</field >
<field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.65" size="16" pos="94" value="c00c0001000100000014000448f66241"
>
<field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" pos="94" show="a1509.g.akamai.net" value="c00c"/
>
<field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="96" show="0x0001" value="0001"/
>
<field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="98" show="0x0001" value="0001"/
>
<field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" pos="100" show="20" value="00000014"/
>
<field name="dns.resp.len" showname="Data length: 4" size="2" pos="104" show="4" value="0004"/
>
<field name="" show="Addr: 72.246.98.65" size="4" pos="106" value="48f66241"/
>
</field >
</field >
</proto >
</packet >
On Wed, Mar 26, 2008 at 04:06:50PM -0500, Mark Sass wrote:
> I am trying to extract fields from pcap files using tshark. I am
> currently using a format like this:
>
> tshark -r pcapfile -R "tcp.port eq xxx" -Tfields -e field1 -e field2
>
> I don't see the fields I wanted listed on the wireshark display filter
> reference listing, and when looking at the pcap files after conversion
> to PDML, the fields show up like this:
Which field(s) are you trying to extract?
Steve
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
Message: 4
Date: Thu, 27 Mar 2008 10:49:03 -0400
From: "Rob MacKenzie" <rmackenzie@xxxxxxx >
Subject: Re: [Wireshark-users] Howto: set some column to print?
To: "Community support list for Wireshark"
<wireshark-users@xxxxxxxxxxxxx >
Message-ID:
<58CDF4E249128A489D8A42E5675B795C3471B1@xxxxxxxxxxxxxxxx >
Content-Type: text/plain; charset="gb2312"
#tshark -i 3 -o column.format:'"Info", "%i"'
That will just print the info column from Wireshark.
You can not specify the info column from the �e option in tshark.
-Rob MacKenzie
________________________________
From: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of ???
Sent: March 27, 2008 8:20 AM
To: wireshark-users
Subject: [Wireshark-users] Howto: set some column to print?
Hi,
Jaap, Thank you very much!
Can you tell me how to set some column to print?
#TShark -i 3 -e tcp.port -T fields //It can print port
#TShark -i 3 -e frame.number //It can print frame number
Now I want to print info column(In wireshark window display No,Time,Source,Destination,Protocol,Info, I want the last column, only the last column),Can you help me?
Can you tell me how to set the command line params ? Or Where I can find the doc?
Thank you !!!
2008-03-27
________________________________
赵新元
---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.
-------------- next part --------------
An HTML attachment was scrubbed...
------------------------------
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
End of Wireshark-users Digest, Vol 22, Issue 75
*********************************************** |
- Follow-Ups:
- Re: [Wireshark-users] Wireshark-users_Digest,_Vol_22,_Issue_75
- From: Stephen Fisher
- Re: [Wireshark-users] Wireshark-users_Digest,_Vol_22,_Issue_75
- Prev by Date: [Wireshark-users] Using tshark to extract message body from smtp port
- Next by Date: Re: [Wireshark-users] Wireshark-users_Digest,_Vol_22,_Issue_75
- Previous by thread: [Wireshark-users] Using tshark to extract message body from smtp port
- Next by thread: Re: [Wireshark-users] Wireshark-users_Digest,_Vol_22,_Issue_75
- Index(es):
- Get Wireshark
- Download
- Code of Conduct