Wireshark mailing list archives

Help with tshark display filter

From: "Starr, David" <David.Starr () e-hps com>
Date: Fri, 5 Mar 2010 13:20:46 -0600

I need to scan through several hundred capture files and pull out all of
the 9 character ID's on certain request packets.

 

I'm using the following tshark command:  tshark -r cfile0001.cap -R
"data contains NETN" -Tfields -edata

 

However, I cannot find a way in tshark to get this to output as text,
only as a byte array.  I've tried -edata-text-lines, and various other
things from the tshark man page, but so far no luck.

 

Ideally, I would like to extract the ID's that are at a fixed byte
offset..  I tried -edata[66:9] but this displayed only blank
lines........

 

Any help would be much appreciated!

 

 

David

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

Current thread:

Help with tshark display filter Starr, David (Mar 05)
- <Possible follow-ups>
- Help with tshark display filter Starr, David (Mar 09)
  - Re: Help with tshark display filter Boonie (Mar 09)