How to get source and destination port with tshark regardless of protocol?

Question

I am trying to get some fields from a packet, e.g. the destination ip = ip.dst; however I am not sure what is the id for source and destination ports. From what I have seen, they seem to be protocol specific, that is for udp = udp.destport; however I would like to know if there is a way to pick up the ports regardless of protocol. Below is an example of what I have tried:

-n -T fields -E separator=, -e frame.time -e ip.src -e ip.dst -e ip.proto -e tcp.port -e ip.len -e tcp.flags.push'

---Blessings.

Answer 1

Probably the easiest way to find out what a field is called is to open a capture file in Wireshark that you know contains the field of interest, then expand the Packet Details until you find the field you're interested in, and finally select the field. The field name will be displayed for you in the status bar at the bottom.

You can also search for fields using the online Wireshark Display Filter Reference.

Regarding the ports, they are unique per protocol, so if you want to see TCP source and destination ports, you will have to specifically filter for tcp.srcport and tcp.dstport, and if you want to see UDP source and destination ports, then you will have to specifically filter for udp.srcport and udp.dstport.

To avoid blank UDP port columns for TCP traffic or blank TCP port columns for UDP traffic, you can run the command twice to focus only on TCP traffic first and then only on UDP traffic next. For example:

TCP:

tshark -Y "tcp" -T fields -e tcp.srcport -e tcp.dstport

UDP:

tshark -Y "udp" -T fields -e udp.srcport -e udp.dstport

(I omitted all other tshark options to focus on only the options I was trying to illustrate.)