How do I get tshark to do the more complete and informative parsing of BitTorrent traffic that appears in Wireshark. Here's an example of what I mean.
In case that webpage changes, I'll state explicitly what I mean. In the Wireshark screen, it will parse the BitTorrent messages and label the message type as "Interested (2)" but in tshark, it will state more opaquely "2". I'm using flags such as -Tjson or -Tek or -Tfields and referencing this page for fields (-e flag): https://www.wireshark.org/docs/dfref/b/bittorrent.html. But the output isn't as informative and not as completely parsed and using strings as it is in the Wireshark gui.
How can I get tshark to output the more descriptive strings that Wireshark outputs?
Alternatively, is there an automated/programatic way of outputting the Wireshark output? I have too many files to analyze to load them into Wireshark one by one.
Thank you for your help. Please let me know if I can clarify my question.
There are two methods I'm aware of that should help you accomplish your goal, both of which involve specifying the columns you want to use.
Method 1: Use Wireshark to configure a profile with the columns you want and then use -T fields
along with -e field
to specify the columns to display.
tshark
selecting that profile, e.g., tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap
.-T fields
and any combination of -e field
and "-e _ws.col.Name Of Column"
to display the columns you want., e.g. if you added the bittorrent.msg.type
field as a column and kept the column name as the default "Message Type", then you'd use something like this: tshark -C Bittorrent -2 -Y "bittorrent" -r bittorrent.pcap -T fields -e frame.number -e "_ws.col.Message Type"
You could even add -e bittorrent.msg.type
too if you also want the values instead of just the strings.
Method 2: Directly specify the columns you want without necessarily having to add them as columns in Wireshark first.
First, to get an idea of the built-in columns that tshark
supports, you can run tshark -G column-formats
, and an example is provided in the output.
So, to accomplish the same thing as before but using this method, on Windows you'd use: tshark -2 -Y "bittorrent" -r bittorrent.pcap -o "gui.column.format:\"No.\",\"%m\",\"Message Type\",\"%Cus:bittorrent.msg.type\""
, and on *nix you'd use: tshark -2 -Y "bittorrent" -r bittorrent.pcap -o 'gui.column.format:"No.","%m","Message Type","%Cus:bittorrent.msg.type"'
(The only difference between Windows and *nix is the quoting.)