There are two ways: the first is to look up the display field reference. "06:36:05.109737000","10.2.3.5","192.168.0.3","IN s1/tmm1 : NTP Version 3, client"īreaking down that command line we have: Optionĭisplay filter to select what packets to showīut where does one find out the field name for the desired field? decryptionkey: Optional key used to encrypt and decrypt captured traffic. onlysummaries: Only produce packet summaries, much faster but includes very little information. Such an example command line might look like: $ tshark.exe -r -2 -R "ip.addr=10.2.3.5" -T fields -E separator=, -E quote=d -e frame.time -e ip.src -e ip.dst -e _ws.col.Info displayfilter: A display (wireshark) filter to apply on the cap before reading it. Just as you can configure what columns to display in the packet summary in Wireshark – you can tell TShark what fields to display from the command line. There are two types of filters, BPF filters and display filters. In this case the TShark tool is very useful. Wireshark and TShark share a powerful filter engine that helps remove the noise from a. Sometimes you want to process packet captures from the command line rather than from Wireshark’s GUI.
0 kommentar(er)
