Wireshark-users: Re: [Wireshark-users] wireshark extract specific field

Date: Wed, 20 Aug 2008 21:56:54 +0200
Hi Pari,

head.exe is part of the CYGWIN tools. So if you don't have them, just skip
"| head"

head.exe shows you by default the first 10 lines of the infile.

$ head.exe --help
Usage: head [OPTION]... [FILE]...
Print the first 10 lines of each FILE to standard output.
With more than one FILE, precede each with a header giving the file name.
With no FILE, or when FILE is -, read standard input.

Grtz
Joan


>
>Hi,
>I tried the command you gave joan but it gives me an error  stating
>'head' is not an internal or external command,operable program or batch
>file.
>What may be the error?
>
>cheers
>pari
>
>On 8/20/08, j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx> wrote:
>>
>> On Tue, 19 Aug 2008 22:59:33 +0100 paritosh kulkarni wrote:
>> > Thanks Joan this command works but still it gives the protocol in
>> protocol
>> number format.
>> > Is it the way oit shows or we can change it some other way.
>>
>> Well, I've tried something else: custom columns:
>>
>> $ tshark -o column.format:""No.", "%m", "Time", "%t", "Source", "%s",
>> "Destinat
>> ion", "%d", "Protocol", "%p", "srcport", "%uS", "dstport", "%uD", "len",
>> "%L",
>> "tcp.flags.ack", "%Cus:tcp.flags.ack", "tcp.flags.syn",
>> "%Cus:tcp.flags.syn""
>> -
>> r test.cap | head
>> 1   0.000000 00:0d:8d:66:86:ce -> ff:ff:ff:ff:ff:ff ARP   42
>> 2   0.000265 00:02:44:49:42:7b -> 00:0d:8d:66:86:ce ARP   60
>> 3   0.000278  192.168.1.4 -> 210.61.144.37 DNS 64120 53 76
>> 4   0.008086 210.61.144.37 -> 192.168.1.4  DNS 53 64120 380
>> 5   0.010454  192.168.1.4 -> 64.149.93.104 TCP 1090 80 62 Set Set
>> 6   0.025914 64.149.93.104 -> 192.168.1.4  TCP 80 1090 62 Set Set
>> 7   0.025976  192.168.1.4 -> 64.149.93.104 TCP 1090 80 54 Set Set
>> 8   0.032307  192.168.1.4 -> 64.149.93.104 HTTP 1090 80 481 Set Set
>> 9   0.044930 64.149.93.104 -> 192.168.1.4  TCP 80 1090 60 Set Set
>> 10   0.053650 64.149.93.104 -> 192.168.1.4  TCP 80 1090 1472 Set Set
>>
>> * and Yes, you've got your protocol
>> ** but it doesn't show the boolean value of the tcp.flags (just set or
>> nothing)
>>
>> BTW Wireshark gives the same result.
>>
>> Grtz
>> Joan
>>
>>
>>
>>
>> _______________________________________________
>> Wireshark-users mailing list
>> Wireshark-users@xxxxxxxxxxxxx
>> https://wireshark.org/mailman/listinfo/wireshark-users
>>
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users