Wireshark-users: [Wireshark-users] tshark

Date: Tue, 07 Sep 2010 12:35:03 +0000
I am capturing DHCP request from specific Huawei machines (MAC address starts
with 00259eaf).  Using tshark because I want to manipulate the data
afterwards.  I do as follows:

 sudo tshark -V -f '(udp dst port 67) and (ether[6:4] = 0x00259eaf)'  -l -i eth0

I get an entire output like listed below.  I just want the output to be bytes
0x125-0x138 ( i.e., 21021127229T94002393 ) text preferable but if I have to
get hex values it is OK.

I can't figure out how to specify this field in the output.  When I dump
with -V it says it is t43 "Vendor-Specific Information" but I try doing things
like -e43, -e Vendor-Specific_Information" and -e"Vendor-Specific Information"
but evereything comes out blanks.  I can get what I want through teeing,
piping and grepping but I always have problems doing that on things with
continuous output (like tail -f, and tshark).  Any ideas?  Here is the
output from above:

=======

% sudo tshark -V -x  -f '(udp dst port 67) and (ether[6:4] = 0x00259eaf)'  -l -i eth0
Running as user "root" and group "root". This could be dangerous.
Capturing on eth0
Frame 1 (350 bytes on wire, 350 bytes captured)
    Arrival Time: Sep  7, 2010 07:32:13.670881000
    [Time delta from previous captured frame: 0.000000000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 0.000000000 seconds]
    Frame Number: 1
    Frame Length: 350 bytes
    Capture Length: 350 bytes
    [Frame is marked: False]
    [Protocols in frame: eth:ip:udp:bootp]
Ethernet II, Src: HuaweiTe_af:70:27 (00:25:9e:af:70:27), Dst: Broadcast (ff:ff:ff:ff:ff:ff)
    Destination: Broadcast (ff:ff:ff:ff:ff:ff)
        Address: Broadcast (ff:ff:ff:ff:ff:ff)
        .... ...1 .... .... .... .... = IG bit: Group address (multicast/broadcast)
        .... ..1. .... .... .... .... = LG bit: Locally administered address (this is NOT the factory default)
    Source: HuaweiTe_af:70:27 (00:25:9e:af:70:27)
        Address: HuaweiTe_af:70:27 (00:25:9e:af:70:27)
        .... ...0 .... .... .... .... = IG bit: Individual address (unicast)
        .... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)
    Type: IP (0x0800)
Internet Protocol, Src: 0.0.0.0 (0.0.0.0), Dst: 255.255.255.255 (255.255.255.255)
    Version: 4
    Header length: 20 bytes
    Differentiated Services Field: 0x00 (DSCP 0x00: Default; ECN: 0x00)
        0000 00.. = Differentiated Services Codepoint: Default (0x00)
        .... ..0. = ECN-Capable Transport (ECT): 0
        .... ...0 = ECN-CE: 0
    Total Length: 336
    Identification: 0x0023 (35)
    Flags: 0x00
        0... = Reserved bit: Not set
        .0.. = Don't fragment: Not set
        ..0. = More fragments: Not set
    Fragment offset: 0
    Time to live: 255
    Protocol: UDP (0x11)
    Header checksum: 0xba7a [correct]
        [Good: True]
        [Bad : False]
    Source: 0.0.0.0 (0.0.0.0)
    Destination: 255.255.255.255 (255.255.255.255)
User Datagram Protocol, Src Port: bootpc (68), Dst Port: bootps (67)
    Source port: bootpc (68)
    Destination port: bootps (67)
    Length: 316
    Checksum: 0x8648 [correct]
        [Good Checksum: True]
        [Bad Checksum: False]
Bootstrap Protocol
    Message type: Boot Request (1)
    Hardware type: Ethernet
    Hardware address length: 6
    Hops: 0
    Transaction ID: 0x00082844
    Seconds elapsed: 0
    Bootp flags: 0x8000 (Broadcast)
        1... .... .... .... = Broadcast flag: Broadcast
        .000 0000 0000 0000 = Reserved flags: 0x0000
    Client IP address: 0.0.0.0 (0.0.0.0)
    Your (client) IP address: 0.0.0.0 (0.0.0.0)
    Next server IP address: 0.0.0.0 (0.0.0.0)
    Relay agent IP address: 0.0.0.0 (0.0.0.0)
    Client MAC address: HuaweiTe_af:70:27 (00:25:9e:af:70:27)
    Server host name not given
    Boot file name not given
    Magic cookie: (OK)
    Option: (t=53,l=1) DHCP Message Type = DHCP Discover
        Option: (53) DHCP Message Type
        Length: 1
        Value: 01
    Option: (t=43,l=32) Vendor-Specific Information
        Option: (43) Vendor-Specific Information
        Length: 32
        Value: DEADFACE0114323130323131323732323954393430303233...
    Option: (t=55,l=17) Parameter Request List
        Option: (55) Parameter Request List
        Length: 17
        Value: 010F0306090C0D0E111228292B3C3D4041
        1 = Subnet Mask
        15 = Domain Name
        3 = Router
        6 = Domain Name Server
        9 = LPR Server
        12 = Host Name
        13 = Boot File Size
        14 = Merit Dump File
        17 = Root Path
        18 = Extensions Path
        40 = Network Information Service Domain
        41 = Network Information Service Servers
        43 = Vendor-Specific Information
        60 = Vendor class identifier
        61 = Client identifier
        64 = Network Information Service+ Domain
        65 = Network Information Service+ Servers
    Option: (t=61,l=7) Client identifier
        Option: (61) Client identifier
        Length: 7
        Value: 0100259EAF7027
        Hardware type: Ethernet
        Client MAC address: HuaweiTe_af:70:27 (00:25:9e:af:70:27)
    End Option
    Padding

0000  ff ff ff ff ff ff 00 25 9e af 70 27 08 00 45 00   .......%..p'..E.
0010  01 50 00 23 00 00 ff 11 ba 7a 00 00 00 00 ff ff   .P.#.....z......
0020  ff ff 00 44 00 43 01 3c 86 48 01 01 06 00 00 08   ...D.C.<.H......
0030  28 44 00 00 80 00 00 00 00 00 00 00 00 00 00 00   (D..............
0040  00 00 00 00 00 00 00 25 9e af 70 27 00 00 00 00   .......%..p'....
0050  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0060  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0070  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0080  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0090  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00a0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00b0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00c0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00d0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00e0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00f0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0100  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
0110  00 00 00 00 00 00 63 82 53 63 35 01 01 2b 20 de   ......c.Sc5..+ .
0120  ad fa ce 01 14 32 31 30 32 31 31 32 37 32 32 39   .....21021127229
0130  54 39 34 30 30 32 33 39 33 02 01 1e c8 01 01 37   T94002393......7
0140  11 01 0f 03 06 09 0c 0d 0e 11 12 28 29 2b 3c 3d   ...........()+<=
0150  40 41 3d 07 01 00 25 9e af 70 27 ff 00 00         @A=...%..p'...

1 packet captured