Wireshark-users: Re: [Wireshark-users] tshark -Ttext output

From: Sake Blok <sake@xxxxxxxxxx>
Date: Mon, 17 Mar 2008 21:47:56 +0100
On Mon, Mar 17, 2008 at 03:47:57PM -0400, Rob MacKenzie wrote:
> Great app, quick question.
> 
> I am using tshark as part of a larger program, and I need the packet
> summaries from a pcap file.
> 
> I am getting the format I need by piping out from 
> 
> tshark -r myfile.pcap -Ttext > outfile.txt
> 
> My questions are:
> 1: is there no way to get tshark to output not to standard out but to a
> file, as the -w option just outputs the pcap file again.

At the moment, no. Is there an advantage over using the ">" redirection?

But why not save the binary data to file and use "tshark -r <file> |" in
your program to read from file? It gives much more flexibility?


> 2: The format of the -Ttext output is dertermined by the columns in
> Wireshark.  My app needs to run smoothly even if Wireshark is opened and
> configuration changed.  Where are these options stored on a windows
> machine? On a linux machine?

The preferences are saved in the file "preferences" in the directory
"c:\Documents and Settings\<user>\Application Data\Wireshark\" under
windows and <home>/.wireshark under linux.

You can override the column settings from your program by using:

tshark -o column.format:'"No.", "%m", "Time", "%t", "Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD", "len", "%L", "Protocol", "%p", "Info", "%i"' -Ttext ...

(use the format you need here!)

Another way is to use the option "-T fields -e <field> -e <field>..."
instead. That will give you control over the fields in the output. And
since they are just values seperated by a TAB (or user defined seperator), 
your program is able to parse the output more easily.


Hope this helps,
Cheers,
    Sake