Wireshark · Wireshark-users: Re: [Wireshark-users] Help with tshark display filter

Wireshark-users: Re: [Wireshark-users] Help with tshark display filter

From: "Boonie" <newsboonie@xxxxxxxxx>

Date: Tue, 9 Mar 2010 21:11:59 +0100

David,

Can you provide us with a PCAP that contains a few of these packets?

Dave

----- Original Message -----

From: Starr, David

To: wireshark-users@xxxxxxxxxxxxx

Sent: Tuesday, March 09, 2010 4:33 PM

Subject: [Wireshark-users] Help with tshark display filter

I need to scan through several hundred capture files and pull out all of the 9 character IDs on certain request packets.

Im using the following tshark command: tshark -r cfile0001.cap -R "data contains NETN" -Tfields -edata

However, I cannot find a way in tshark to get this to output as text, only as a byte array. Ive tried edata-text-lines, and various other things from the tshark man page, but so far no luck.   I just need to display the data as ascii text.

Ideally, I would like to extract the IDs that are at a fixed byte offset.. I tried edata[66:9] but this displayed only blank lines..

Any help would be much appreciated!

David

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

References:
- [Wireshark-users] Help with tshark display filter
  - From: Starr, David

Prev by Date: Re: [Wireshark-users] Wireshark in Network - Windows/Linux
Next by Date: Re: [Wireshark-users] Regarding TCP Options
Previous by thread: [Wireshark-users] Help with tshark display filter
Next by thread: [Wireshark-users] WireShark is not working on my pc
Index(es):
- Date
- Thread