Wireshark-users: Re: [Wireshark-users] wireshark extract specific field

From: "paritosh kulkarni" <paritosh26@xxxxxxxxx>
Date: Tue, 19 Aug 2008 22:59:33 +0100
Thanks Joan this command works but still it gives the protocol in protocol number format.
Is it the way oit shows or we can change it some other way.

 
On 8/19/08, j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx> wrote:
On Tue, 19 Aug 2008 15:41:30 +0100 paritosh kulkarni wrote:
> one thing i want to ask is i get the protocol and flags in numerical values

> how to get them in the states we see as in wireshark.
> i.e like TCP instead as 0x06 and flags as SYN or FIn or SYN/ACK instead
of 0x18.

I don't think so, but correct me if I'm wrong.

If you use this command, you can at least see which flags are set.
$ tshark -r test.cap -T fields -e frame.number -e frame.time -e ip.src
-e ip.dst -e ip.proto -e tcp.srcport -e tcp.dstport -e frame.len -e tcp.len

-e tcp.flags.cwr -e tcp.flags.ecn -e tcp.flags.urg -e tcp.flags.ack -e tcp.flags.push
-e tcp.flags.reset -e tcp.flags.syn -E header=y > test.csv

Hope this helps somehow
Joan




_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
https://wireshark.org/mailman/listinfo/wireshark-users