tshark過濾並保存包特定字段

1.過濾端口為5001的tcp包，將時間輸出

tshark -r h1.pcap -Y "tcp.port==5001" -T fields -e frame.time

時間格式如

“Jan 1,2016 20:27:30.355595000 CST”

2.調整時間格式

tshark -r h1.pcap -Y "tcp.port==5001" -o column.format:"packet,%m,Time,%t,Info,%i"

%t輸出格式為 10.710926

%Yt輸出格式為 2016-01-01 20:27:30.355595

wireshark - How do I format tshark time to ISO format (yyyy-dd-mm)? - Stack Overflow

tshark\ -\ The\ Wireshark\ Network\ Analyzer\ 2.0.0

3.查看所有包數目

tshark -r test.cap | wc -l

c - Getting the number of packets in a pcap capture file? - Stack Overflow

4.輸出特定字段

tshark -nr input.pcap -Y "display filter" -T fields -e frame.number -e tcp.seq -e tcp.options.timestamp.tsval

tshark -nr input.pcap -Y "display filter" -T fields -e frame.number -e tcp.seq -e tcp.options.timestamp.tsval