SMTP and tshark fields

[spiffy pickle <spiffypickle () gmail com>]

Hello Everyone,
   I am trying to extract attachment filenames from SMTP streams using the
'-T fields' option. The problem is that there are multiple
smtp.req.commands, so most of the time instead of seeing the filename in the
output I see base64. The tshark command I'm using is:
tshark -r example.pcap -R 'smtp.req.command contains "filename" ||
smtp.req.parameter contains "filename"' -T fields -e ip.src -e ip.dst -e
smtp.req.parameter -e smtp.req.command

I'm using a perl one-liner right now to get the filename without using -T
fields but was wondering if there was a way to get tshark to output it.
Any suggestions?


Thanks,
   Harley

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe