Wireshark-users: Re: [Wireshark-users] writing some text to Tshark output file

From: Maryam Homayouni <marnameh@xxxxxxxxx>
Date: Sun, 16 Nov 2008 02:44:07 -0800 (PST)
Hi Joan,
thank you for your response, I have some more questions on your command,
  1. Is "-r *.cap" necessary or I can capture or display online traffic?
  2. If for example I need to log SIP traffic, can I use the options exist in this column.c file or I must add some things more? I mean isn't there any need to use -T or -e options to log for example specific sip packet's field which I am interested in?
  3. and finally it does not seed that I can write the fields' names beside values? I mean you log some parameters and set their place in your output file, but can I write my desired field name for each of parameters logged?
Regards,
Maryam

 
--- On Sun, 11/16/08, j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx> wrote:
From: j.snelders@xxxxxxxxxx <j.snelders@xxxxxxxxxx>
Subject: Re: [Wireshark-users] writing some text to Tshark output file
To: marnameh@xxxxxxxxx, "Community support list for Wireshark" <wireshark-users@xxxxxxxxxxxxx>
Received: Sunday, November 16, 2008, 1:53 AM

Hi Maryam,

You can use custom colomns:
i.e.
$ tshark -o column.format:""No.", "%m",
"Time", "%t", "Source", "%s",
"Destination",
"%d", "Protocol", "%p", "Info",
"%i"" -r test1.cap > test1.txt

Output:
1 0.000000 192.168.1.4 -> 213.51.144.37 DNS Standard query A
www.google.co.uk
2 0.007430 213.51.144.37 -> 192.168.1.4 DNS Standard query response
CNAME www.google.com CNAME www.l.google.com A 74.125.39.104 A 74.125.39.147
A 74.125.39.103 A 74.125.39.99
3 0.010423 192.168.1.4 -> 74.125.39.104 TCP 1847 > 80 [SYN] Seq=0
Win=65535
Len=0 MSS=1460
4 0.026881 74.125.39.104 -> 192.168.1.4 TCP 80 > 1847 [SYN, ACK]
Seq=0
Ack=1 Win=5720 Len=0 MSS=1460
5 0.026941 192.168.1.4 -> 74.125.39.104 TCP 1847 > 80 [ACK] Seq=1
Ack=1
Win=65535 [TCP CHECKSUM INCORRECT] Len=0
6 0.027219 192.168.1.4 -> 74.125.39.104 HTTP GET / HTTP/1.1

For other output formats of time stamps etc.:
http://anonsvn.wireshark.org/wireshark/trunk/epan/column.c

HTH
Joan

On Sun, 16 Nov 2008 01:11:50 -0800 (PST) Maryam Homayouni wrote:
>I tried -E option but it is not as flexible as I expect, it only writes
exactly
>the header name which is specified in -e option in top line of the file
above
>each column, for example the following command:
>tshark -T fields -e frame.number -E header=y -E quote=d > out
>results the following output:
>frame.number
>"1"
>"2"
>"3"
>...
>but what? I am looking for is to write what ever I prefer beside the values
>in each line, for example
>
>Frame Number : 1??? Time : 0.0000
>Frame Number : 2 ?? Time : 0.0012
>?..
>can any body suggest me a way to get it?
>
>
>
>--- On Tue, 11/11/08, Abhik Sarkar <sarkar.abhik@xxxxxxxxx> wrote:
>From: Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
>Subject: Re: [Wireshark-users] writing some text to Tshark output file
>To: marnameh@xxxxxxxxx
>Received: Tuesday, November 11, 2008, 4:46 AM
>
>Not that I am aware of, but perhaps someone else can suggest
>something. You might also want to look at the -E option in combination
>with your existing command.
>
>On Tue, Nov 11, 2008 at 7:55 AM, Maryam Homayouni
<marnameh@xxxxxxxxx>
>wrote:
>> Hi,
>> I used this option to write the value of some parameters, for example
the
>> following command :
>> tshark -T fields -e frame.num > outfile
>>
>> results the following output
>> 1
>> 2
>> 3
>> 4
>> ..
>> but i want to have the following output:
>> FrameNumber : 1
>> FrameNumber : 2
>> ..
>> I mean I want to make tshark to write what I wrote in command line +
the
>> value of packet's parameters.
>> Is there any way to do that?
>>
>> Regards,
>> M.Homayouni
>>
>>
>> --- On Mon, 11/10/08, Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
wrote:
>>
>> From: Abhik Sarkar <sarkar.abhik@xxxxxxxxx>
>> Subject: Re: [Wireshark-users] writing some text to Tshark output file
>> To: marnameh@xxxxxxxxx, "Community support list for
Wireshark"
>> <wireshark-users@xxxxxxxxxxxxx>
>> Received: Monday, November 10, 2008, 5:35 AM
>>
>> Maryam,
>> Please check the manpage of tshark (one copy here
>> http://linux.die.net/man/1/tshark).
>> I think the -T fields options is what you are looking for.
>> Regards,
>> Abhik
>> On Mon, Nov 10, 2008 at 2:19 PM, Maryam Homayouni
><marnameh@xxxxxxxxx>
>> wrote:
>>> Hi All,
>>>
>>> I am new to tshark, trying to redirect some parameters of udp
packets
>to
>> an
>>> output file, but in addition to the parameters I want to write the
>name of
>>> parameters beside them (from command line) for examlple when I get
>frame
>>> number parameter , I want to have the "Frame Number"
phrase
>> before its value
>>> in the output file.
>>> i.e. output file:
>>> Frame Mumber: <frame.num value>
>>>
>>> could any body help me finding a way for that?
>>>
>>> Regards,
>>> M.Homayouni
>>> ________________________________
>>> Now with a new friend-happy design! Try the new Yahoo! Canada
>Messenger
>>> _______________________________________________
>>> Wireshark-users mailing list
>>> Wireshark-users@xxxxxxxxxxxxx
>>> https://wireshark.org/mailman/listinfo/wireshark-users
>>>
>>>
>>
>> ________________________________
>> Looking for the perfect gift? Give the gift of Flickr!
>
>
>
> __________________________________________________________________
>Ask a question on any topic and get answers from real people. Go to Yahoo!
>Answers and share what you know at http://ca.answers.yahoo.com
>_______________________________________________
>Wireshark-users mailing list
>Wireshark-users@xxxxxxxxxxxxx
>https://wireshark.org/mailman/listinfo/wireshark-users







Be smarter than spam. See how smart SpamGuard is at giving junk email the boot with the All-new Yahoo! Mail