I want to create a tshark filter that allow me to see only the last octet from the ip addrress. more or less like this. I have a capture and i want a filter that only display the last 3 number from the ip.
If i have like 192.168.10.1 i want just to see the number 1.
Thanks
Look at http://www.wireshark.org/docs/man-pages/tshark.html
Try :
tshark -T fields -e ip.src
tshark -T fields -e ip.dst
tshark -T fields -e ip.addr
You will have only the ip address.
If you are on unix (not tested) :
tshark -T fields -e ip.src | sed -e "s/.*.//"
You will have only the last number.
Olivier