I'm trying to expand tshark's output. On the first round I haven't found simple solution, only that one can extract a field by the -e option, so the following command outputs
- frame number
- time from beginning of capture
- source ip address
- destination ip address
- http request uri
- and the http content lenght, which I want to add to the default output.
tshark -T fields -e frame.number -e frame.time_relative -e ip.src -e ip.dst http.request.uri -e http.content_length
My problem is, that I can't find the default output field names or an option that leaves them and append the desired fields to it.
It's not mandatory, but would be nice to know : )