5

I am using tshark to diagnose an asymetric route problem. I am filtering the traffic so only src/dest to a specific ip is being captured, but I would like to display a field that shows which interface the traffic is going in/out on so I can see the impact as I work with route tables.

With Wireshark I can get partway there by displaying the MAC address using Hardware dest addr and Hardware src addr, but in TShark I can't find that filter.

Can anyone suggest a way to display the NIC name, or MAC address with TShark?

Here is the tshark command I have tried:

tshark -i eno1 -i enp5s0 -T fields -E header=y -e ip.src -e ip.dst -e _ws.col.Protocol -e _ws.col.Info -Y "ip.addr==10.10.10.30"
Improve this question

2 Answers 2

Reset to default
4

I found the solution. It turns our that the fields displayed in Wireshark have direct correlations to fields you can display in tshark. So you search under Frame in the Wireshark doco and all becomes clear. My issue was not seeing the correlation between the doc and the Wireshark UI to see what I could do on the command line.

All I had to do was add -e frame.interface_name or -e frame.interface_id

Improve this answer
2

To find out about field names, you can also use the json or pdml output formats by passing -T json or -T pdml to tshark. You'll see all the dissected fields in the capture with the same name as you can use in display filters or select with -e for the -T fields format:

[
  {
    "_index": "packets-2021-10-09",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame": {
          "frame.interface_id": "0",
          "frame.interface_id_tree": {
            "frame.interface_name": "wlp3s0"
          },
          "frame.encap_type": "1",
[...]

<?xml version="1.0" encoding="utf-8"?>
<?xml-stylesheet type="text/xsl" href="pdml2html.xsl"?>
<!-- You can find pdml2html.xsl in /usr/share/wireshark or at https://gitlab.com/wireshark/wireshark/-/raw/master/pdml2html.xsl. -->
<pdml version="0" creator="wireshark/3.4.8" time="Sat Oct  9 10:20:13 2021" capture_file="file.pcap">
<packet>
  <proto name="geninfo" pos="0" showname="General information" size="52">
    <field name="num" pos="0" show="1" showname="Number" value="1" size="52"/>
    <field name="len" pos="0" show="52" showname="Frame Length" value="34" size="52"/>
    <field name="caplen" pos="0" show="52" showname="Captured Length" value="34" size="52"/>
    <field name="timestamp" pos="0" show="Oct  9, 2021 10:19:24.034789189 BST" showname="Captured Time" value="1633771164.034789189" size="52"/>
  </proto>
  <proto name="frame" showname="Frame 1: 52 bytes on wire (416 bits), 52 bytes captured (416 bits) on interface wlp3s0, id 0" size="52" pos="0">
    <field name="frame.interface_id" showname="Interface id: 0 (wlp3s0)" size="0" pos="0" show="0">
      <field name="frame.interface_name" showname="Interface name: wlp3s0" size="0" pos="0" show="wlp3s0"/>
    </field>
    <field name="frame.encap_type" showname="Encapsulation type: Ethernet (1)" size="0" pos="0" show="1"/>

In wireshark, you can select the field you're interested in, right-click and Copy -> Field Name:

screenshot of field name copy

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.