Extracting Fields from Tshark

Posted 10-28-2010

 

An interesting question appeared at ask.wireshark.org this week.

 

"How can I run Wireshark from the command line to open a file, and output a file containing only the UDP length of every DNS packet?"

 

It's an interesting question because folks often overlook (a) capturing traffic with Tshark and (b) using the -T parameter to pull field information.The answer was provided by skypemesm:

 

tshark -R "dns" -r abc.pcap -T fields -e udp.length

 

-R "dns" - applies a DNS display filter to the trace file

-r abc.pcap - opens the abc.pcap file using Tshark

-T fields - indicates we are pulling a field contents (default format: text)

-e udp.length - tells Tshark to pull the value of the udp.length field

 

The results of this type of operation print on the screen as you can see in an example below.What if you want to pull this information from a live capture?

 

 

Ok - you have to watch out here since a Bug 2234 restricts us from using a display filter during a live capture in Tshark. Sigh. We'll use a capture filter instead.

 

tshark -T fields -e udp.length -f "port 53" > udplength.txt

 

In this case we are still pulling out the UDP length field values, but we've defined a capture filter for traffic to/from port 53 and piped the results to a text file.What else can you do? Well, you can use the -a parameter to define an autostop condition or the -c parameter to define the number of packets to capture.

 

All Access Pass Members: The Tshark Command-Line Capture course released on your new portal. I added a bonus section on the use of the -T/-e parameters after writing this blog.

 

Not an All Access Pass Member? Jeepers - the price was just lowered so now is the time to sign up for one-year of online training at www.chappellu.com.

 

Enjoy!

 

Laura