Hi,
When running tshark, I occasionally see instances where fields contain
comma delimited lists of values. For example, an ip.src field delimited
by pipe may contain two ips: 192.168.1.1,8.8.8.8. I am not sure how to
interpret this output.
I am running tshark as follows:
sudo tshark -i eth0 -l -E separator='|' -T fields -e frame.time_epoch -e
ip.src -e ip.dst -e udp.srcport -e udp.dstport -e tcp.srcport -e
tcp.dstport -e dns.flags.response -e dns.qry.name -e dns.flags.rcode -e
ip.proto -e dns.resp.addr -e frame.time_delta_displayed -e ip.len -e
tcp.flags -e eth.src -e eth.dst -e frame.len -e http.request -e
http.response
In some instances I receive output akin to the following:
1469188329.151229000|192.168.1.113,8.8.8.6|8.8.8.6,192.168.1.113|53|
39389|||1|daisy.ubuntu.com|0|1,17|162.213.33.133,162.213.33.164|
0.000249000|122,94||00:25:90:df:ff:52|ec:bd:1d:2d:bc:77|136
Input would be greatly appreciated.
Thanks,
Tim Ficarra