How to add an extra column to Tshark's output (while keeping the default ones)?

2
votes

I would like to add a Tshark column that tells me which type of ICMP-packet has been captured. This would be the following: icmp.type

While I still need the default columns, how can I make Tshark also show this one?

I've already seen the option to work with -T fields and -e but then all the default columns are left out.

2
wiresharktshark

2 Answers

3
votes

You can add the default columns and use for instance:

tshark -i 1 -T fields -e frame.number -e frame.time -e eth.src -e eth.dst -e frame.protocols -e _ws.col.Protocol -e _ws.col.Info -e icmp.type -E header=y > output.csv

See tshark -h or the man-page for more information.

1
votes

If you want to add something to the default summary output, you can also use:

-z proto,colinfo,filter,field

For example something like:

-z proto,colinfo,tcp.seq,tcp.seq

Will show this:

1 2018-10-10 10:39:54 192.168.0.10 -> 192.168.0.1 SSH 198 Encrypted response packet len=132 tcp.seq == 1