[WireShark][tShark] 改寫輸入內容

2 月 03

joechen未分類 No Comments

改寫前:

c:\Program Files\Wireshark>tshark.exe -i 1 -t ad -c 3 -f "arp"
Capturing on 'LAN'
    1 2018-02-03 01:24:57.171146 Vmware_c3:97:f8 → AsustekC_fd:12:ba ARP 60 Who has 192.168.7.73? Tell 192.168.7.79
    2 2018-02-03 01:24:57.171169 AsustekC_fd:12:ba → Vmware_c3:97:f8 ARP 42 192.168.7.73 is at 00:26:18:fd:12:ba
    3 2018-02-03 01:24:57.505058 AsustekC_fd:12:ba → Vmware_c3:97:f8 ARP 42 Who has 192.168.7.79? Tell 192.168.7.73
3 packets captured

改寫後:

c:\Program Files\Wireshark>tshark.exe -i 1 -t ad -c 3 -f "arp"  -o "gui.column.format:\"No.\",\"%m\",\"Time\",\"%t\",\"Vendor\",\"%rhs\",\"Source\",\"%uhs\",\"Destination\",\"%uhd\",\"Protocol\",\"%p\",\"Length\",\"%L\",\"Info\",\"%i\""
Capturing on 'LAN'
    1 2018-02-03 01:23:53.208062 D-LinkIn_5c:c0:fe d8:fe:e3:5c:c0:fe → ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.7.96? Tell 192.168.7.1
    2 2018-02-03 01:23:59.275652 SamsungE_85:b6:a5 ac:5f:3e:85:b6:a5 → ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.7.2? Tell 192.168.7.96
    3 2018-02-03 01:23:59.276012 SamsungE_85:b6:a5 ac:5f:3e:85:b6:a5 → ff:ff:ff:ff:ff:ff ARP 60 Who has 192.168.7.2? Tell 192.168.7.96
3 packets captured

可利用 tshark -G help 裡的
tshark.exe -G column-formats
來看改寫方法

[Networking][tshark] 欄位改寫

2 月 01

joechen未分類 No Comments

c:\Program Files\Wireshark>.\tshark.exe -G column-formats
%q 802.1Q VLAN id
%Yt Absolute date, as YYYY-MM-DD, and time
%YDOYt Absolute date, as YYYY/DOY, and time
%At Absolute time
%V Cisco VSAN
%B Cumulative Bytes
%Cus Custom
%y DCE/RPC call (cn_call_id / dg_seqnum)
%Tt Delta time
%Gt Delta time displayed
%rd Dest addr (resolved)
%ud Dest addr (unresolved)
%rD Dest port (resolved)
%uD Dest port (unresolved)
%d Destination address
%D Destination port
%a Expert Info Severity
%I FW-1 monitor if/direction
%F Frequency/Channel
%hd Hardware dest addr
%hs Hardware src addr
%rhd Hw dest addr (resolved)
%uhd Hw dest addr (unresolved)
%rhs Hw src addr (resolved)
%uhs Hw src addr (unresolved)
%e IEEE 802.11 RSSI
%x IEEE 802.11 TX rate
%f IP DSCP Value
%i Information
%rnd Net dest addr (resolved)
%und Net dest addr (unresolved)
%rns Net src addr (resolved)
%uns Net src addr (unresolved)
%nd Network dest addr
%ns Network src addr
%m Number
%L Packet length (bytes)
%p Protocol
%Rt Relative time
%s Source address
%S Source port
%rs Src addr (resolved)
%us Src addr (unresolved)
%rS Src port (resolved)
%uS Src port (unresolved)
%E TEI
%Yut UTC date, as YYYY-MM-DD, and time
%YDOYut UTC date, as YYYY/DOY, and time
%Aut UTC time
%t Time (format as specified)

For example, to print Wireshark’s default columns with tshark:

tshark.exe -o “gui.column.format:\”No.\”,\”%m\”,\”Time\”,\”%t\”,\”Source\”,\”%s\”,\”Destination\”,\”%d\”,\”Protocol\”,\”%p\”,\”Length\”,\”%L\”,\”Info\”,\”%i\””

c:\Program Files\Wireshark>