Wireshark-users: Re: [Wireshark-users] Using tshark to extract empty fields from pcap files

From: Stephen Fisher <stephentfisher@xxxxxxxxx>
Date: Wed, 26 Mar 2008 15:59:38 -0600
On Wed, Mar 26, 2008 at 04:06:50PM -0500, Mark Sass wrote:

> I am trying to extract fields from pcap files using tshark.  I am 
> currently using a format like this:
> 
> tshark -r pcapfile -R "tcp.port eq xxx" -Tfields -e field1 -e field2
> 
> I don't see the fields I wanted listed on the wireshark display filter 
> reference listing, and when looking at the pcap files after conversion 
> to PDML, the fields show up like this:

Which field(s) are you trying to extract?


Steve