tshark 기본 포맷

The info column will not work in -e as that is only for filterable
fields (such as tcp.port).  You can specify the columns to use in tshark
by overriding (-o) the preference file setting for column.format using
the syntax taken from the preferences file:

 # Packet list column format.
 # Each pair of strings consists of a column title and its format.
 column.format:
  "No.", "%m",
  "Time", "%t",
  "Source", "%s",
  "Destination", "%d",
  "Protocol", "%p",
  "Info", "%i"

 

For example, to only show the info column's contents in tshark:

 

tshark -o column.format:"Info, %i"

 

tshark -o column.format:""No.", "%m", "Info", "%i", "Len", "%Cus:tcp.len""

 

tshark.exe -o column.format:""Packet#","%m","Time","%t","Source","%rhs","Destination","%uhd","Speed","%x","Size","%L","RSSI","%e","Info","%i""

 

컬럼을 여러개 사용할 때 꼭 시작과 끝은 double quote,

'%Cus'는 꼭 대소문자 구분해서 사용한다.

 

 

The first word is the title of the column, which won't be shown in
tshark anyway. 

The % variables can be found in epan/column.c of the source code:

 

  http://anonsvn.wireshark.org/viewvc/trunk/epan/column.c?view=markup

 

And cross-referencing the descriptions in epan/column_info.h:

 

http://anonsvn.wireshark.org/viewvc/trunk/epan/column_info.h?view=markup

 

 

참조 : http://www.wireshark.org/lists/wireshark-users/200806/msg00003.html

 

Hello

I have a few questions about getting text information out of tshark and hope
someone can help as I am new to this.

1. I want to get data out in a delimited format to load into a
spreadsheet/database for custom reporting and analysis.
2. I would like to be able to get the data value and the decoded value. eg
tcp.port value is 80, decoded value is http
3. I would like to see if the packets are marked by a specified analysis
flag, eg tcp.analysis.retransmission

 

>From what I can see there are 2 main formats
Example A. tshark.exe -o column.format:""No.", "%m", "Time", "%t",
"Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD",
"len", "%L", "Protocol", "%p", "Info", "%i", "expert","%a"" -r
e:\temp\wstest\test.enc > e:\temp\wstest\testout.txt
using % values

 

Example B. tshark.exe -T text -E separator=; -E
header=y -Tfields -e frame.number -e frame.time -e frame.time_delta -e
frame.pkt_len -e frame.protocols -e eth.src -e ip.src -e tcp.srcport -e
eth.dst -e ip.dst -e tcp.dstport -e tcp.seq -e tcp.nxtseq -e tcp.ack -e
tcp.window_size -e tcp.flags -e tcp.flags.push -e tcp.flags.ack -e
tcp.flags.syn -e tcp.flags.reset -r e:\temp\wstest\test.enc >
e:\temp\wstest\testout.txt

 

>From Example A
A1 bad: I understand from other threads that it is not possible to have
specified a delimiter using this format
A2 bad: I understand with this format it is possible to to add fields as per
display filter fields. The example I found is "Len", "%Cus:tcp.len".
unfortunatly I have not been able to get it work on this or any other fields
using dos window or cywin.
A3 good: decoded value is available for many fields

 

>From Example B
B1 good: output can have all fields as per normal display filters
B2 good: I can have a delimiter
B3 bad: no flag is set for tcp.analysis.retransmission field even when you
apply the tcp.analysis.retransmission filter to only get retransmitted
packets. If this flag had been set this way then I would OR this filter with
frame.number>0 to get all packets and have the flag set on the relevant
frams.
B4 bad: I cannot find how to get the decodes value of the field.
B5 I would like something like %i value from the Example A format. Is it
possible to use the % values in the Example B command line.

I know there are a few different questions here and any help with the above
would be appreciated. There may of course be better ways to approach this in
which case please point me in the right direction.

My ideal solution is like Example B with a value in fields like -e
tcp.analysis.retransmission and being able to add %fields from Example A

Kind regards

 

tshark 컬럼 포맷은 아래 명령어로 전체 확인 가능

 

kali@kali:~/forensic$ tshark -G column-formats
%q      802.1Q VLAN id
%Yt     Absolute date, as YYYY-MM-DD, and time
%YDOYt  Absolute date, as YYYY/DOY, and time
%At     Absolute time
%V      Cisco VSAN
%B      Cumulative Bytes
%Cus    Custom
%y      DCE/RPC call (cn_call_id / dg_seqnum)
%Tt     Delta time
%Gt     Delta time displayed
%rd     Dest addr (resolved)
%ud     Dest addr (unresolved)
%rD     Dest port (resolved)
%uD     Dest port (unresolved)
%d      Destination address
%D      Destination port
%a      Expert Info Severity
%I      FW-1 monitor if/direction
%F      Frequency/Channel
%hd     Hardware dest addr
%hs     Hardware src addr
%rhd    Hw dest addr (resolved)
%uhd    Hw dest addr (unresolved)
%rhs    Hw src addr (resolved)
%uhs    Hw src addr (unresolved)
%e      IEEE 802.11 RSSI
%x      IEEE 802.11 TX rate
%f      IP DSCP Value
%i      Information
%rnd    Net dest addr (resolved)
%und    Net dest addr (unresolved)
%rns    Net src addr (resolved)
%uns    Net src addr (unresolved)
%nd     Network dest addr
%ns     Network src addr
%m      Number
%L      Packet length (bytes)
%p      Protocol
%Rt     Relative time
%s      Source address
%S      Source port
%rs     Src addr (resolved)
%us     Src addr (unresolved)
%rS     Src port (resolved)
%uS     Src port (unresolved)
%E      TEI
%Yut    UTC date, as YYYY-MM-DD, and time
%YDOYut UTC date, as YYYY/DOY, and time
%Aut    UTC time
%t      Time (format as specified)

For example, to print Wireshark's default columns with tshark:

tshark -o 'gui.column.format:"No.","%m","Time","%t","Source","%s","Destination","%d","Protocol","%p","Length","%L","Info","%i"'