TShark field name

Question

Hi as shown below are output from TShark using "tshark -i mon0"

0.000000 e4:6e:d1:a4:21:3e -> Broadcast 802.11 251 Beacon frame, SN=2145, FN=0, Flags=........C, BI=100, SSID=AndroidAP 0.191876 8c:65:a1:df:2e:d2 -> Broadcast 802.11 98 Data, SN=2091, FN=0, Flags=.p....F.C 0.368961 0c:55:2c:7b:25:b0 -> Broadcast 802.11 249 Beacon frame, SN=3120, FN=0, Flags=........C, BI=100, SSID=ASUS 5G 0.373837 Wisol_76:51:10 -> Broadcast 802.11 98 Probe Request, SN=646, FN=0, Flags=........C, SSID=ASUS_5G 0.447529 Wisol_76:51:10 -> Broadcast 802.11 196 Probe Request, SN=649, FN=0, Flags=........C, SSID=ASUS_5G

I am using the "-T fields" field function to output the field that i wanted like "tshark -i mon0 -T fields -e wlan.fc.type -e wlan.fc -e wlan.fc.type_subtype"

However, i would like to get the field string (Beacon frame , Data , Probe Request) from the standard output by tshark. Can i know what command should i use. ?

Answer 1

You can use the -o 'gui.column.format:...' option to specify the columns you want. If you run tshark -G column-formats, you will get an idea of the format to use and there's a basic example listed at the bottom, although it doesn't currently provide an example for a custom column.

For your particular use case then, namely "tshark -i mon0 -T fields -e wlan.fc.type -e wlan.fc -e wlan.fc.type_subtype", the following command may give you something closer to what you want:

tshark -i mon0 -o 'gui.column.format:"No.","%m","Type","%Cus:wlan.fc.type","Frame Control","%Cus:wlan.fc","Subtype","%Cus:wlan.fc.type_subtype"'