labeneator · April 16, 2014 11:16
diff --git a/tshark-display-filter.sh b/tshark-display-filter.sh
 # First 10 packets of the second TCP stream in the pcap
 # Comman separated values with a header for the specified fields
 $ tshark  -ntu -r  test.pcap  -Y tcp.stream==1  -c 10 \
  -E header=y  -Tfields -E separator="," \
  -e ip.src \
  -e tcp.srcport \
  -e "ip.dst" \
  -e tcp.dstport \
  -e tcp.flags.syn \
  -e tcp.flags.ack \
  -e tcp.flags.push \
  -e tcp.flags.reset \
  -e tcp.analysis.bytes_in_flight \
  -e tcp.len
  
  
 # Piping the output of the previous command to the csvlook command yields a nice table that can be easily grokked on the shell
 |----------+-------------+---------+-------------+---------------+---------------+----------------+-----------------+------------------------------+----------|
 |  ip.src  | tcp.srcport | ip.dst  | tcp.dstport | tcp.flags.syn | tcp.flags.ack | tcp.flags.push | tcp.flags.reset | tcp.analysis.bytes_in_flight | tcp.len  |
 |----------+-------------+---------+-------------+---------------+---------------+----------------+-----------------+------------------------------+----------|
 |  a.b.c.d | 8645        | e.f.g.h | 9999        | 1             | 0             | 0              | 0               |                              | 0        |
 |  e.f.g.h | 9999        | a.b.c.d | 8645        | 1             | 1             | 0              | 0               |                              | 0        |
 |  a.b.c.d | 8645        | e.f.g.h | 9999        | 0             | 1             | 0              | 0               |                              | 0        |
 |  a.b.c.d | 8645        | e.f.g.h | 9999        | 0             | 1             | 1              | 0               | 168                          | 168      |
 |  e.f.g.h | 9999        | a.b.c.d | 8645        | 0             | 1             | 0              | 0               |                              | 0        |
 |  e.f.g.h | 9999        | a.b.c.d | 8645        | 0             | 1             | 1              | 0               | 1154                         | 1154     |
 |  a.b.c.d | 8645        | e.f.g.h | 9999        | 0             | 1             | 0              | 0               |                              | 0        |
 |  a.b.c.d | 8645        | e.f.g.h | 9999        | 0             | 1             | 0              | 0               | 1448                         | 1448     |
 |  a.b.c.d | 8645        | e.f.g.h | 9999        | 0             | 1             | 1              | 0               | 1502                         | 54       |
 |  e.f.g.h | 9999        | a.b.c.d | 8645        | 0             | 1             | 0              | 0               |                              | 0        |
 |----------+-------------+---------+-------------+---------------+---------------+----------------+-----------------+------------------------------+----------|
	# First 10 packets of the second TCP stream in the pcap
	# Comman separated values with a header for the specified fields
	$ tshark -ntu -r test.pcap -Y tcp.stream==1 -c 10 \
	-E header=y -Tfields -E separator="," \
	-e ip.src \
	-e tcp.srcport \
	-e "ip.dst" \
	-e tcp.dstport \
	-e tcp.flags.syn \
	-e tcp.flags.ack \
	-e tcp.flags.push \
	-e tcp.flags.reset \
	-e tcp.analysis.bytes_in_flight \
	-e tcp.len


	# Piping the output of the previous command to the csvlook command yields a nice table that can be easily grokked on the shell
	\|----------+-------------+---------+-------------+---------------+---------------+----------------+-----------------+------------------------------+----------\|
	\| ip.src \| tcp.srcport \| ip.dst \| tcp.dstport \| tcp.flags.syn \| tcp.flags.ack \| tcp.flags.push \| tcp.flags.reset \| tcp.analysis.bytes_in_flight \| tcp.len \|
	\|----------+-------------+---------+-------------+---------------+---------------+----------------+-----------------+------------------------------+----------\|
	\| a.b.c.d \| 8645 \| e.f.g.h \| 9999 \| 1 \| 0 \| 0 \| 0 \| \| 0 \|
	\| e.f.g.h \| 9999 \| a.b.c.d \| 8645 \| 1 \| 1 \| 0 \| 0 \| \| 0 \|
	\| a.b.c.d \| 8645 \| e.f.g.h \| 9999 \| 0 \| 1 \| 0 \| 0 \| \| 0 \|
	\| a.b.c.d \| 8645 \| e.f.g.h \| 9999 \| 0 \| 1 \| 1 \| 0 \| 168 \| 168 \|
	\| e.f.g.h \| 9999 \| a.b.c.d \| 8645 \| 0 \| 1 \| 0 \| 0 \| \| 0 \|
	\| e.f.g.h \| 9999 \| a.b.c.d \| 8645 \| 0 \| 1 \| 1 \| 0 \| 1154 \| 1154 \|
	\| a.b.c.d \| 8645 \| e.f.g.h \| 9999 \| 0 \| 1 \| 0 \| 0 \| \| 0 \|
	\| a.b.c.d \| 8645 \| e.f.g.h \| 9999 \| 0 \| 1 \| 0 \| 0 \| 1448 \| 1448 \|
	\| a.b.c.d \| 8645 \| e.f.g.h \| 9999 \| 0 \| 1 \| 1 \| 0 \| 1502 \| 54 \|
	\| e.f.g.h \| 9999 \| a.b.c.d \| 8645 \| 0 \| 1 \| 0 \| 0 \| \| 0 \|
	\|----------+-------------+---------+-------------+---------------+---------------+----------------+-----------------+------------------------------+----------\|