Wireshark-users: Re: [Wireshark-users] Using tshark to extract empty fields from pcap files
I am not officially on the list, so I am not so sure where
to go to reply to this reply. I am basically trying to capture the payload
of smtp packets i.e. the mail message, and I am trying to capture the DNS
responses where it shows the domain name and IP address to which it
resolved. I am looking for the part of the DNS packet that has "a1509.g.akamai.net: type A, class IN, addr
72.246.98.65" - as shown in the example below from a PDML
file. It has field = "" show "a1509.g.akamai.net: type A, class
IN, addr 72.246.98.65", but I cannot figure out how to extract this
data using tshark at a command line. Any thoughts?
< snipped all frame, udp, etc stuff> <proto name="dns" showname="Domain Name System (response)" size="68" pos="42"> <field name="dns.response_to" showname="Request In: 5567" size="0" pos="42" show="5567"/> <field name="dns.time" showname="Time: 0.014816000 seconds" size="0" pos="42" show="0.014816000"/> <field name="dns.id" showname="Transaction ID: 0x1c20" size="2" pos="42" show="0x1c20" value="1c20"/> <field name="dns.flags" showname="Flags: 0x8400 (Standard query response, No error)" size="2" pos="44" show="0x8400" value="8400"> <field name="dns.flags.response" showname="1... .... .... .... = Response: Message is a response" size="2" pos="44" show="1" value="1" unmaskedvalue="8400"/> <field name="dns.flags.opcode" showname=".000 0... .... .... = Opcode: Standard query (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/> <field name="dns.flags.authoritative" showname=".... .1.. .... ... = Authoritative: Server is an authority for domain" size="2" pos="44" show="1" value="1" unmaskedvalue="8400"/> <field name="dns.flags.truncated" showname=".... ..0. .... ... = Truncated: Message is not truncated" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/> <field name="dns.flags.recdesired" showname=".... ...0 .... ... = Recursion desired: Don't do query recursively" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/> <field name="dns.flags.recavail" showname=".... .... 0... .... = Recursion available: Server can't do recursive queries" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/> <field name="dns.flags.z" showname=".... .... .0.. .... = Z: reserved (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/> <field name="dns.flags.authenticated" showname=".... .... ..0. ... = Answer authenticated: Answer/authority portion was not authenticated by the server" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/> <field name="dns.flags.rcode" showname=".... .... .... 0000 = Reply code: No error (0)" size="2" pos="44" show="0" value="0" unmaskedvalue="8400"/> </field> <field name="dns.count.queries" showname="Questions: 1" size="2" pos="46" show="1" value="0001"/> <field name="dns.count.answers" showname="Answer RRs: 2" size="2" pos="48" show="2" value="0002"/> <field name="dns.count.auth_rr" showname="Authority RRs: 0" size="2" pos="50" show="0" value="0000"/> <field name="dns.count.add_rr" showname="Additional RRs: 0" size="2" pos="52" show="0" value="0000"/> <field name="" show="Queries" size="24" pos="54" value="056131353039016706616b616d6169036e65740000010001"> <field name="" show="a1509.g.akamai.net: type A, class IN" size="24" pos="54" value="056131353039016706616b616d6169036e65740000010001"> <field name="dns.qry.name" showname="Name: a1509.g.akamai.net" size="20" pos="54" show="a1509.g.akamai.net" value="056131353039016706616b616d6169036e657400"/> <field name="dns.qry.type" showname="Type: A (Host address)" size="2" pos="74" show="0x0001" value="0001"/> <field name="dns.qry.class" showname="Class: IN (0x0001)" size="2" pos="76" show="0x0001" value="0001"/> </field> </field> <field name="" show="Answers" size="32" pos="78" value="c00c0001000100000014000448f66219c00c0001000100000014000448f66241"> <field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.25" size="16" pos="78" value="c00c0001000100000014000448f66219"> <field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" pos="78" show="a1509.g.akamai.net" value="c00c"/> <field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="80" show="0x0001" value="0001"/> <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="82" show="0x0001" value="0001"/> <field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" pos="84" show="20" value="00000014"/> <field name="dns.resp.len" showname="Data length: 4" size="2" pos="88" show="4" value="0004"/> <field name="" show="Addr: 72.246.98.25" size="4" pos="90" value="48f66219"/> </field> <field name="" show="a1509.g.akamai.net: type A, class IN, addr 72.246.98.65" size="16" pos="94" value="c00c0001000100000014000448f66241"> <field name="dns.resp.name" showname="Name: a1509.g.akamai.net" size="2" pos="94" show="a1509.g.akamai.net" value="c00c"/> <field name="dns.resp.type" showname="Type: A (Host address)" size="2" pos="96" show="0x0001" value="0001"/> <field name="dns.resp.class" showname="Class: IN (0x0001)" size="2" pos="98" show="0x0001" value="0001"/> <field name="dns.resp.ttl" showname="Time to live: 20 seconds" size="4" pos="100" show="20" value="00000014"/> <field name="dns.resp.len" showname="Data length: 4" size="2" pos="104" show="4" value="0004"/> <field name="" show="Addr: 72.246.98.65" size="4" pos="106" value="48f66241"/> </field> </field> </proto> </packet> On Wed, Mar 26, 2008 at 04:06:50PM -0500, Mark Sass
wrote:
> I am trying to extract fields from pcap files using tshark. I am > currently using a format like this: > > tshark -r pcapfile -R "tcp.port eq xxx" -Tfields -e field1 -e field2 > > I don't see the fields I wanted listed on the wireshark display filter > reference listing, and when looking at the pcap files after conversion > to PDML, the fields show up like this: Which field(s) are you trying to extract? Steve |
- Prev by Date: [Wireshark-users] H1 Protocol Decode
- Next by Date: Re: [Wireshark-users] Howto: set some column to print?
- Previous by thread: [Wireshark-users] H1 Protocol Decode
- Next by thread: [Wireshark-users] Using tshark to extract message body from smtp port
- Index(es):