On Dec 16, 2008, at 12:07 AM, Hashmat Khan wrote:
Thanks.
But how do I get this kind of output:
117.97.37.213 217.1.176.55 CLEARCASE 600
371 0x39de (14814)
117.97.37.213 202.56.250.5 DNS 2420
53 0x39df (14815)
117.97.37.213 255.255.255.255 DHCP 68
67 0x39e0 (14816)
117.97.37.213 202.56.250.6 DNS 2420
53 0x39e1 (14817)
117.97.37.213 202.56.250.5 DNS 2420
53 0x39e2 (14818)
117.97.37.213 202.56.250.5 DNS 2420
53 0x39e3 (14819)
117.97.37.213 202.56.250.6 DNS 2420
53 0x39e4 (14820)
117.97.37.213 255.255.255.255 DHCP 68
67 0x39e5 (14821)
I want to print any source ip followed by any dest ip followed by
protocol type followed by src port, dest port and finally ip header
identification.
You can't get that with File -> Print in Wireshark, either, without
changing the columns you display.
At least with top-of-tree or development-branch (1.1[.x]) Wireshark,
you could get something similar with
./tshark -n -r ~/captures/dhcp-crap.pcap -o
column.format:"Source","%s","Destination","%d","Protocol","%p","Source
port","%S","Dest port","%D","IP ID","%Cus:ip.id"
on UN*X; the differences are that
1) it'll print out column headings;
2) it'll print only one space between columns;
3) it'll print "->" between the source and destination addresses.
Note that:
for packets that *don't* have any IP addresses, it'll print lower-
level (link-layer) addresses, if any;
for packets that don't have transport-layer ports or an IP ID, it'll
just print spaces.