Wireshark mailing list archives

Re: tshark -T fields

From: Martin Visser <martinvisser99 () gmail com>
Date: Tue, 13 Jul 2010 10:09:57 +1000

Doug and Peter,

This is basically the same question as Damker's post which I have responded
to here -
http://www.wireshark.org/lists/wireshark-users/201007/msg00108.html

Unfortunately each -e field only matches a single instance. You are better
off parsing the PDML output, that outputs all of the fields by iterating
through the field. I have created a perl one-liner that can do this:-

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'

Output is:

1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,

Note that it seems (with this protocol) that as there seems to be a variable
number of same field and some are option (for instance the second opc/dpc
set doesn't have a matching transactionId), I would include the field name
in the output so:

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,


Regards, Martin


Regards, Martin

MartinVisser99 () gmail com


On Mon, Jul 12, 2010 at 10:42 PM, Douglas Wood <doug.wood () ieee org> wrote:

I have created a modified version of Wireshark in which I produce tab
delimited files that actually aggregates multiple instances of particular
fields.  In fact, the output can become way too voluminous, but, it is much
faster to process these tab delimited files than the PDML output.
Especially when there are 100,000's of packets.

I will attest that the aggregation of multiple instances of a field is
pretty tricky.  I wouldn't mind working with somebody else to try to
generalize what I have done.

Doug



Peter Gordon wrote:

tshark can be used to display fields using the -T option.
If the same field occurs a number of times within a protocol,
only one value ( the last ) gets displayed.

As far as I can see the error looks like it comes from the
routine proto_tree_write_fields.

The -T pdml option gives the correct output, but is too voluminous.

Can anyone help with a fix?


There's at least one bug for that:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3818

It was discussed quite a bit at Sharkfest this year too--there seemed to
be quite a bit of interest in finding a way to fix it.  (But: as
evidenced by the fact that there is so much interest and it hasn't been
done yet, it's non-trivial to implement.)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

tshark -T fields Peter Gordon (Jul 07)
- Re: tshark -T fields Jeff Morriss (Jul 07)
  - Re: tshark -T fields Douglas Wood (Jul 12)
  - Message not available
    - Re: tshark -T fields Martin Visser (Jul 12)