Wireshark-users: Re: [Wireshark-users] Reporting with Wireshark

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Wed, 13 Jul 2011 21:52:35 +0200
Hi Jacob,

-T fields
$ tshark -r test.pcap -R "frame.number<40" -T fields -e frame.number -e frame.time
-e frame.time_delta -e frame.time_delta_displayed -e frame.time_relative
-E header=y

You can use -o column.format to print other columns:
$ tshark -r test.pcap -R "frame.number<40" -o column.format:""No.","%m",
"Time", "%t", "Time", "%Yt", "Time", "%Tt", "Time", "%Rt", "Source", "%s",
"Destination", "%d", "Protocol", "%p", "tcp.port", "%Cus:tcp.port", "udp.port",
"%Cus:udp.port", "Len", "%L", "Info","%i"" -T psml

For time formats take a look at:
http://anonsvn.wireshark.org/wireshark/trunk/epan/column.c
"%Yt",		/* 1) COL_ABS_DATE_TIME */
"%At",		/* 2) COL_ABS_TIME */

"%Tt",		/* 11) COL_DELTA_TIME */
"%dct",		/* 12) COL_DELTA_CONV_TIME */
"%Gt",		/* 13) COL_DELTA_TIME_DIS */

"%Rt",		/* 49) COL_REL_TIME */
"%rct",		/* 50) COL_REL_CONV_TIME */

"%t",		/* 58) COL_CLS_TIME */

Hope this helps
Joke


On Mon, 11 Jul 2011 15:07:40 -0400 Abel, Jacob wrote:
>Hello all,
>
> 
>
>I'm using Wireshark to dump out capture files at regular intervals. I'm
>going to merge the in and out traffic together with mergecap and then I
>want to process the data with tshark. I only need basic information, but
>the PSML format doesn't provide quite enough. I need port numbers in
>addition to that basically. I've been trying to sort of emulate the PSML
>output, but need help with the filters. There are way too many and
>searching doesn't really help. This is what I have so far:
>
> 
>
>tshark -r test.pcap -T fields -E header=y -e ip.src -e ip.dst -e
>udp.port -e tcp.port -e frame.len > test.txt
>
> 
>
>In addition to this information, I need the time (seconds, hh:mm:ss,
>doesn't matter) and the protocol, for starters. It would also be nice to
>see the info field as well, if it exists.
>
> 
>
>Thanks in advance,
>
>Jacob