Thanks.
On Tue, Dec 16, 2008 at 2:06 PM, Guy Harris
<guy@xxxxxxxxxxxx> wrote:
On Dec 16, 2008, at 12:07 AM, Hashmat Khan wrote:
> Thanks.
> But how do I get this kind of output:
> 117.97.37.213 217.1.176.55 CLEARCASE 600
> 371 0x39de (14814)
> 117.97.37.213 202.56.250.5 DNS 2420
> 53 0x39df (14815)
> 117.97.37.213 255.255.255.255 DHCP 68
> 67 0x39e0 (14816)
> 117.97.37.213 202.56.250.6 DNS 2420
> 53 0x39e1 (14817)
> 117.97.37.213 202.56.250.5 DNS 2420
> 53 0x39e2 (14818)
> 117.97.37.213 202.56.250.5 DNS 2420
> 53 0x39e3 (14819)
> 117.97.37.213 202.56.250.6 DNS 2420
> 53 0x39e4 (14820)
> 117.97.37.213 255.255.255.255 DHCP 68
> 67 0x39e5 (14821)
>
> I want to print any source ip followed by any dest ip followed by
> protocol type followed by src port, dest port and finally ip header
> identification.
You can't get that with File -> Print in Wireshark, either, without
changing the columns you display.
At least with top-of-tree or development-branch (1.1[.x]) Wireshark,
you could get something similar with
./tshark -n -r ~/captures/dhcp-crap.pcap -o
column.format:"Source","%s","Destination","%d","Protocol","%p","Source
port","%S","Dest port","%D","IP ID","%Cus:ip.id"
on UN*X; the differences are that
1) it'll print out column headings;
2) it'll print only one space between columns;
3) it'll print "->" between the source and destination addresses.
Note that:
for packets that *don't* have any IP addresses, it'll print lower-
level (link-layer) addresses, if any;
for packets that don't have transport-layer ports or an IP ID, it'll
just print spaces.