tshark outputting all fields?

wireshark pcap tshark
gak picture gak · Mar 6, 2013 · Viewed 18k times · Source

Is it possible to get tshark output every field (within the packet) using the -T fields option, or similar?

e.g. For every field in the packet/reconstruction, I would like something like this:

eth.src:f2:3c:91:96:fd:09,ip.src:1.2.3.4,tcp.dst_port:80,http.request.uri:/index.html

(The comma could be replaced with a \xff to make parsing better when values contain commas.)

I realise there is the -e option but it seems that I would have to put in every single possible field in the command line. On top of that, only a small fraction of fields will be used in each packet, which makes for a lot of data to parse.

I currently plan to use the tshark -V option and parse that, but ideally I would like more machine style terms such as http.request.uri instead of "human readable" e.g.:

Hypertext Transfer Protocol
    GET /main.php HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /main.php HTTP/1.1\r\n]
            [Message: GET /main.php HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /main.php

Answer

gak picture gak · Mar 6, 2013

Just stumbled across:

tshark -T pdml

which is exactly what I need:

<packet>
  <proto name="geninfo" pos="0" showname="General information" size="173">
    <field name="num" pos="0" show="323" showname="Number" value="143" size="173"/>
    <field name="len" pos="0" show="173" showname="Frame Length" value="ad" size="173"/>
    <field name="caplen" pos="0" show="173" showname="Captured Length" value="ad" size="173"/>
    <field name="timestamp" pos="0" show="Aug  7, 2011 16:16:13.579504000 EST" showname="Captured Time" value="1312697773.579504000" size="173"/>
  </proto>
  <proto name="frame" showname="Frame 323: 173 bytes on wire (1384 bits), 173 bytes captured (1384 bits)" size="173" pos="0">
    <field name="frame.time" showname="Arrival Time: Aug  7, 2011 16:16:13.579504000 EST" size="0" pos="0" show="Aug  7, 2011 16:16:13.579504000"/>
    ... etc.

It includes the Wireshark filter name, as well as all the fields that are included in the packet.

Update: This is quite slow, and hacking up tshark.c so -V prints out the abbrev instead of the name in the header_field_info *hfinfo; does the trick too. I should probably contribute this an a option when I get the chance.

Related questions

filtering by domain

I want to filter my pcap file by their domains. I mean, I want to see the packets comes on a website ends with ".com", ".org" or ".net". I tried: dns contains "com", ip.src_host == com, ip.src_host == …

Read More
How do I use tshark to print request-response pairs from a pcap file?

Given a pcap file, I'm able to extract a lot of information from the reconstructed HTTP request and responses using the neat filters provided by Wireshark. I've also been able to split the pcap file into each TCP stream. Trouble …

Read More
Tshark - Export packet info from pcap to cvs

I am trying to programmatically capture a stream of packets by using Tshark. The simplified terminal command I am using is: tshark -i 2 -w output.pcap This is pretty straightforward, but I then need to get a .csv file in …

Read More