An interesting question appeared at ask.wireshark.org this week – “How can I run Wireshark from the command line to open a file, and output a file containing only the UDP length of every DNS packet?”
It’s an interesting question because folks often overlook (a) capturing traffic with Tshark and (b) using the -T parameter to pull field information.
The answer was provided by skypemesm:
tshark -R 'dns' -r abc.pcap -T fields -e udp.length
-R “dns” - applies a DNS display filter to the trace file
-r abc.pcap - opens the abc.pcap file using Tshark
-T fields - indicates we are pulling a field contents (default format: text)
-e udp.length - tells Tshark to pull the value of the udp.length field
The results of this type of operation print on the screen.
What if you want to pull this information from a live capture?
Ok - you have to watch out here since Bug 2234 restricts us from using a display filter during a live capture in Tshark. Sigh. We'll use a capture filter instead.
tshark -T fields -e udp.length -f "port 53" > udplength.txt
In this case we are still pulling out the UDP length field values, but we've defined a capture filter for traffic to/from port 53 and piped the results to a text file.
What else can you do? Well - you can use the -a parameter to define an autostop condition or the -c parameter to define the numbe of packets to capture.
All Access Pass Members: The Tshark Command-Line Capture course is released on the new portal. I just added a section on the use of -T/-e parameters after writing this blog. You should have received an email with your login instructions. If you didn't - send an email to info@chappellU.com.
Not an All Access Pass member? Jeepers - the price was just lowered so now is the time to sign up for one-year of online training at http://www.chappellu.com/.
