On Tue, Mar 24, 2009 at 01:58:40PM +1100, Chris Henderson wrote:
> I'm trying to get the tshark output (MAC addresses) to a file but the
> output of tshark -i eth0 -n port 68 -R 'bootp.type == 2' -o
> column.format:'"Source MAC","%hs"' is different from the output of
> tshark -i eth0 -n port 68 -R 'bootp.type == 2' -o
> column.format:'"Source MAC","%hs"' -w /tmp/mac
>
> In the latter I get number, time, ip -> ip, DHCP, transaction ID - all
> of which I don't need. In the former, I only get the MAC address which
> I need. Is there any way to dump only the MAC address to an output
> file?
Try redirecting the output of the first command to the file. The -w
option is for writing raw packet data in libpcap format to a file. To
quote the tshark man page:
If you want to write the decoded form of packets to a file, run TShark
without the -w option, and redirect its standard output to the file
(do not use the -w option).
Steve