Wireshark-users: Re: [Wireshark-users] tshark display filter / info

From: "j.snelders" <j.snelders@xxxxxxxxxx>
Date: Sun, 30 Oct 2011 19:04:55 +0100
Hi Stuart,

The Info column is not a filterable field.

But Network Monitor can do the trick:
http://www.lovemytool.com/blog/2011/03/microsoft-network-monitor-34-search-the-description-column-by-joke-snelders.html


My best
joke

On Sun, 30 Oct 2011 10:38:41 -0700 Stuart Kendrick wrote:
>How do I persuade tshark to display what Wireshark calls the 'Info' or 'Information'
>column?
>
>This shows up by default (in this case, as the text beginning with 'SSH...'
>or 'TCP...')
>
>guru> tshark -r server.pcap | more
>  1   0.000000 10.12.5.123 -> 10.12.18.116 SSH Encrypted response packet
>len=68
>  2   0.010257 10.12.18.116 -> 10.12.5.123 TCP 49280 > ssh [ACK] Seq=1 Ack=69
>Win=255 Len=0
>  3   0.260510 10.12.5.123 -> 10.12.18.116 SSH Encrypted response packet
>len=52
>
>But when I specify fields:
>tshark -r server.pcap -T fields -e frame.number -e ip.src -e ip.dst -e info
>
>What string identifies the 'Info' column?  Clearly not 'info' or 'information'
>...
>
>--sk
>
>Stuart Kendrick
>FHCRC