Wireshark-users: [Wireshark-users] Help with tshark display filter

From: "Starr, David" <David.Starr@xxxxxxxxx>
Date: Fri, 5 Mar 2010 13:20:46 -0600

I need to scan through several hundred capture files and pull out all of the 9 character ID’s on certain request packets.


I’m using the following tshark command:  tshark -r cfile0001.cap -R "data contains NETN" -Tfields -edata


However, I cannot find a way in tshark to get this to output as text, only as a byte array.  I’ve tried –edata-text-lines, and various other things from the tshark man page, but so far no luck.


Ideally, I would like to extract the ID’s that are at a fixed byte offset..  I tried –edata[66:9] but this displayed only blank lines……..


Any help would be much appreciated!