Wireshark-users: [Wireshark-users] Help needed controlling tshark output format
From: "Andrew Cuthbertson" <[email protected]>
Date: Mon, 2 Jun 2008 16:12:09 +0200
Hello

I have a few questions about getting text information out of tshark and hope
someone can help as I am new to this.

1. I want to get data out in a delimited format to load into a
spreadsheet/database for custom reporting and analysis.
2. I would like to be able to get the data value and the decoded value. eg
tcp.port value is 80, decoded value is http
3. I would like to see if the packets are marked by a specified analysis
flag, eg tcp.analysis.retransmission

>From what I can see there are 2 main formats
Example A. tshark.exe" -o column.format:""No.", "%m", "Time", "%t",
"Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD",
"len", "%L", "Protocol", "%p", "Info", "%i", "expert","%a"" -r
e:\temp\wstest\test.enc > e:\temp\wstest\testout.txt
using % values

Example B. "C:\Program Files\Wireshark\tshark.exe" -T text -E separator=; -E
header=y -Tfields -e frame.number -e frame.time -e frame.time_delta -e
frame.pkt_len -e frame.protocols -e eth.src -e ip.src -e tcp.srcport -e
eth.dst -e ip.dst -e tcp.dstport -e tcp.seq -e tcp.nxtseq -e tcp.ack -e
tcp.window_size -e tcp.flags -e tcp.flags.push -e tcp.flags.ack -e
tcp.flags.syn -e tcp.flags.reset -r e:\temp\wstest\test.enc >
e:\temp\wstest\testout.txt

>From Example A
A1 bad: I understand from other threads that it is not possible to have
specified a delimiter using this format
A2 bad: I understand with this format it is possible to to add fields as per
display filter fields. The example I found is "Len", "%Cus:tcp.len".
unfortunatly I have not been able to get it work on this or any other fields
using dos window or cywin.
A3 good: decoded value is available for many fields

>From Example B
B1 good: output can have all fields as per normal display filters
B2 good: I can have a delimiter
B3 bad: no flag is set for tcp.analysis.retransmission field even when you
apply the tcp.analysis.retransmission filter to only get retransmitted
packets. If this flag had been set this way then I would OR this filter with
frame.number>0 to get all packets and have the flag set on the relevant
frams.
B4 bad: I cannot find how to get the decodes value of the field.
B5 I would like something like %i value from the Example A format. Is it
possible to use the % values in the Example B command line.

I know there are a few different questions here and any help with the above
would be appreciated. There may of course be better ways to approach this in
which case please point me in the right direction.

My ideal solution is like Example B with a value in fields like -e
tcp.analysis.retransmission and being able to add %fields from Example A

Kind regards

Andrew Cuthbertson
Email: [email protected]