Wireshark · Wireshark-users: [Wireshark-users] SMTP and tshark fields

Wireshark-users: [Wireshark-users] SMTP and tshark fields

From: spiffy pickle <spiffypickle@xxxxxxxxx>

Date: Wed, 7 Oct 2009 12:01:34 -0400

Hello Everyone,
I am trying to extract attachment filenames from SMTP streams using the '-T fields' option. The problem is that there are multiple smtp.req.commands, so most of the time instead of seeing the filename in the output I see base64. The tshark command I'm using is:
tshark -r example.pcap -R 'smtp.req.command contains "filename" || smtp.req.parameter contains "filename"' -T fields -e ip.src -e ip.dst -e smtp.req.parameter -e smtp.req.command

I'm using a perl one-liner right now to get the filename without using -T fields but was wondering if there was a way to get tshark to output it.
Any suggestions?

Thanks,
Harley

Prev by Date: [Wireshark-users] DPNSS dissector C/R bit
Next by Date: Re: [Wireshark-users] Custom Columns & combining filters
Previous by thread: [Wireshark-users] DPNSS dissector C/R bit
Next by thread: [Wireshark-users] VoIP Calls & old E1 telephony protocols
Index(es):
- Date
- Thread