Wireshark-users: Re: [Wireshark-users] tshark -T fields and info column

From: "Rob MacKenzie" <rmackenzie@xxxxxxx>
Date: Mon, 26 May 2008 10:39:55 -0400
c:\WaveScan\tshark\tshark.exe -o
column.format:""Packet#","%m","Time","%t","Source","%rhs","Destination",
"%uhd","Speed","%x","Size","%L","RSSI","%e","Info","%i"" -r
c:\WaveScan\Data\0-final.pcap > c:\WaveScan\Data\0-p_sum.csv


That's the command I run from from a script to get tshark to output what
I want.  As has been mentioned, you can add custom fields with the
"%Cus:tcp.len" option.  The two sets of doublequotes are needed for
windows to understand what is to be passed to tshark.

A quick and easy way I usually use to make these commands is to setup
Wireshark the way I want it, then go into the
%APPDATA%/Wireshark/preferences  file and copy the column.format field.

If you are adding into an app or script, remember to escape your quotes
with backslashes.

It works pretty well for me, except I'd like it to have a specific
delimiter for parsing.  This is one place Tshark needs a little
tweaking, something I might look into later.



Rob MacKenzie
Advanced Connectivity Developer

-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx
[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of Sake Blok
Sent: May 25, 2008 10:08 AM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] tshark -T fields and info column

On Sun, May 25, 2008 at 08:11:07AM -0500, Starner, Mark wrote:
> It is just me, or does the Windows version of tshark not support this
option?
>
> I have seen this posted a lot, but I get an error when I try to use
it.

Well, the windows version does support this, but I'm not sure how to
pass the correct string to tshark from within the Windows Command Shell.
I use the windows version of tshark from within cygwin and have no
problem using these options :-)

Cheers,
    Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.