tshark: want udp, bootp details only, not Frame, Ether, IP details

chrism01 · 09-10-2013, 07:13 PM

Hi Guys,

I'm using tshark to get detailed info on dhcp pkts.
Found this

Code:

tshark -i eth0   -V -f "udp port 67 || udp port 68"

here http://networkingbodges.blogspot.com...ne-liners.html, which seems to do the trick nicely.
However, it shows all the details for all the fields for all the layers ie Frame, Ether, IP, udp, bootp.
I only need to see the udp and bootp blocks of output.
Does anyone know how to restrict/filter to just those?

I found an option -O protocols on one man page, but it appears my install (RHEL6, wireshark 1.2.15) doesn't support it.

I did think tweaking the capture filter or creating a display filter to add to the cmd would do it, but I'm new to tshark and haven't figured it out yet.

NB: this is a cli only server, so most webpages talking about the GUI aren't terribly helpful.

UPDATED:
Ok, resorted to a sed hack, but I'd be interested to know/learn how to do it in tshark; I'm sure it can be done.

Code:

tshark -i eth0   -V -f "udp port 67 || udp port 68"|sed -n '/^User Datagram/,/Padding/p;/Padding/i\\n'

unSpawn · 09-11-2013, 01:29 AM

Quote:

Originally Posted by chrism01

However, it shows all the details for all the fields for all the layers ie Frame, Ether, IP, udp, bootp. I only need to see the udp and bootp blocks of output. Does anyone know how to restrict/filter to just those?

I would use capture filters to restrict what's being captured as that keeps all the information in place. If you don't all you'll get is mutilated output you can't work with later on should you so desire. Displaying saved pcap contents is another story. Determining the maximum length of the headers and ditching those should give you the payload. See 'man tcpdump' about header notation or "slice" in 'man wireshark-filters'?