Re: question, how to output specific fields in a complex packet using tshark command line

[Martin Visser <martinvisser99 () gmail com>]

Unfortunately each -e field only matches a single instance. You are better
off parsing the PDML output, that outputs all of the fields by iterating
through the field. I have created a perl one-liner that can do this:-

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'

Output is:

1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,

Note that it seems (with this protocol) that as there seems to be a variable
number of same field and some are option (for instance the second opc/dpc
set doesn't have a matching transactionId), I would include the field name
in the output so:

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,


Regards, Martin

MartinVisser99 () gmail com


2010/7/12 damker <damker () sina com>

> *发件人:* damker [mailto:damker () sina com]
> *发送时间:* 2010年7月12日 16:26
> *收件人:* 'Wireshark-users-request () wireshark org'
> *主题:* help,how to output specific fields in a complex packet using tshark
> command line
>
>
>
> Help
>
> The attachment is a packet captured in the Mc interface, there are 8 SCTP
> and upper layers, I want to output all the m3ua.protocol_data_opc,
> m3ua.protocol_data_dpc,h248.transactionId in every M3UA.
>
> If put the file in d:\temp\ and using the command line below:
>
>
>
> tshark -r d:\temp\MCNew.cap -T fields -E separator=, -e
> m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e h248.transactionId
> > d:\temp\h248.txt
>
>
>
> it output the last m3ua.protocol_data_opc,
> m3ua.protocol_data_dpc,h248.transactionId,not all. how to write a correct
> command line to output all the fields I want?
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe