Wireshark · Wireshark-dev: [Wireshark-dev] Re: byte range selections in tshark -e fields

Wireshark-dev: [Wireshark-dev] Re: byte range selections in tshark -e fields

From: Sake Blok | SYN-bit <sake.blok@xxxxxxxxxx>

Date: Mon, 13 Jan 2025 13:50:32 +0100

> wireshark GUI supports byte selection by means of indexing an protocol
> field in display filters, e.g.:
> 
> "gsm_map.ms.autn[6] == 0x80"
> 
> is it possible to use expressions indexed like shown above for tshark
> fields specified with -e option? what is the syntax for it?

Yes it is, and it supports the same syntax, ie "-T fields -e eth.dst[0:3]" would output the OUI of the ethernet destination. Please note that you need tshark v4.4.0 or later.

Cheers,
Sake

References:
- [Wireshark-dev] byte range selections in tshark -e fields
  - From: Cristian Constantin

Prev by Date: [Wireshark-dev] a bug about MQTT
Next by Date: [Wireshark-dev] Re: a bug about MQTT
Previous by thread: [Wireshark-dev] Re: byte range selections in tshark -e fields
Next by thread: [Wireshark-dev] Survey for Telephony / RRC Statistics
Index(es):
- Date
- Thread