Get plugged in for fast training on network troubleshooting and security. The All Access Pass online training system provides a range of troubleshooting, analysis and security courses on-demand.
Extracting Fields from Tshark
An interesting question appeared at ask.wireshark.org this week.
"How can I run Wireshark from the command line to open a file, and output a file containing only the UDP length of every DNS packet?"
It's an interesting question because folks often overlook (a) capturing traffic with Tshark and (b) using the -T parameter to pull field information.The answer was provided by skypemesm:
tshark -R "dns" -r abc.pcap -T fields -e udp.length
-R "dns" - applies a DNS display filter to the trace file
-r abc.pcap - opens the abc.pcap file using Tshark
-T fields - indicates we are pulling a field contents (default format: text)
-e udp.length - tells Tshark to pull the value of the udp.length field
The results of this type of operation print on the screen as you can see in an example below.What if you want to pull this information from a live capture?
Ok - you have to watch out here since a Bug 2234 restricts us from using a display filter during a live capture in Tshark. Sigh. We'll use a capture filter instead.
tshark -T fields -e udp.length -f "port 53" > udplength.txt
In this case we are still pulling out the UDP length field values, but we've defined a capture filter for traffic to/from port 53 and piped the results to a text file.What else can you do? Well, you can use the -a parameter to define an autostop condition or the -c parameter to define the number of packets to capture.
All Access Pass Members: The Tshark Command-Line Capture course released on your new portal. I added a bonus section on the use of the -T/-e parameters after writing this blog.
Not an All Access Pass Member? Jeepers - the price was just lowered so now is the time to sign up for one-year of online training at www.chappellu.com.
Sign up for the newsletter to receive blog and schedule update information.