Re: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex packet using tshark command line

[Martin Visser <martinvisser99 () gmail com>]

Damker,

If there are "missing" fields, then you need to allow for that in how you
are using it. I know very little about H.248, I can only assume that the
transaction ID is optional hence why it is missing from some of the PDUs.
Wireshark only ever displays what it finds in the packet, not what is not
there.

Regards, Martin

MartinVisser99 () gmail com


On Tue, Jul 13, 2010 at 7:35 PM, damker <damker () sina com> wrote:

>  Yes, it’s in Windows CMD, in CMD the syntax recommend to use double
> quote(“), or it will return error like that:
>
>
>
> Can't find string terminator "'" anywhere before EOF at -e line 1.
>
>
>
> Using that line in CMD:
>
> tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane
> "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
> h248.transactionId); foreach $f (@flist) { if(/field
> name=\"$f\".*show=\"(.*?)\".*/){print $f,':',$1,',';}}"
>
>
>
> the result is the same you got before:
>
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
> m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
> m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
> m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,
>
>
>  but I thought that if the result is like that
>
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
> m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
> m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
> m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,
>
>
>  it will be more easily used by other program.
>
>
>
> *发件人:* wireshark-users-bounces () wireshark org [mailto:
> wireshark-users-bounces () wireshark org] *代表 *Martin Visser
> *发送时间:* 2010年7月13日 14:28
> *收件人:* Community support list for Wireshark
> *主题:* Re: [Wireshark-users] 答复: question, how to output specific fields in
> a complex packet using tshark command line
>
>
>
> I think you have a shell substitution problem. (I was doing this in Cygwin
> on Windows, which would be compatible with Linux/UNIX shells), but I am
> guess you are doing this in Windows CMD.
>
> I noticed you changed my single quote (') to a double quote (") after perl
> -ane and at the end. Can you leave these as a single quote? Otherwise you
> might need to escape the characters that seemed to have gone missing so "$f:$1,"
> becomes "$f\:$1\," (or something like that)
>
> Sorry, but Windows CMD does some strange (hence why those in the know use
> Cygwin if they have to do this thing on Windows).
>
> Alternately you can put everything in a self-contained Perl script, and not
> have to understand the Windows command shell idiosyncrasies.
>
> Regards, Martin
>
> MartinVisser99 () gmail com
>
>  On Tue, Jul 13, 2010 at 2:13 PM, damker <damker () sina com> wrote:
>
> Thanks, the theory  is ok, but something others happened.
>
> My OS is WIN7+ActivePerl 5.10,
>
>
>
> When using
>
> tshark.exe  -T pdml -r "d:\temp\MCNew.cap"  | perl -ane
> "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
> h248.transactionId); foreach $f (@flist) { if(/field
> name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}" > d:\temp\mcnew.txt
>
>
>
> error reported:
>
> syntax error at -e line 1, near "$f:"
>
> Execution of -e aborted due to compilation errors.
>
> tshark: An error occurred while printing packets: Invalid argument.
>
>
>
> When using
>
> tshark.exe  -T pdml -r "d:\temp\MCNew.cap"  | perl -ane
> "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
> h248.transactionId); foreach $f (@flist) { if(/field
> name=\"$f\".*show=\"(.*?)\".*/){print "$f,$1,";}}" > d:\temp\mcnew.txt
>
>
>
> result is:
>
>
> m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2046823431m3ua.protocol_data_opc1310708m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3825208323m3ua.protocol_data_opc1307719m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3288337409m3ua.protocol_data_opc1307817m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2449476613m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId752404340
>
>
>
> there is no char “,”,any suggestion to solve this?
>
>
>
>
>
> *发件人:* wireshark-users-bounces () wireshark org [mailto:
> wireshark-users-bounces () wireshark org] *代表 *Martin Visser
> *发送时间:* 2010年7月13日 8:03
> *收件人:* Community support list for Wireshark
> *主题:* Re: [Wireshark-users] question, how to output specific fields in a
> complex packet using tshark command line
>
>
>
> Unfortunately each -e field only matches a single instance. You are better
> off parsing the PDML output, that outputs all of the fields by iterating
> through the field. I have created a perl one-liner that can do this:-
>
> tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane
> '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
> h248.transactionId);\
> foreach $f (@flist) {\
>  if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'
>
> Output is:
>
> 1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
> 1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
> 1307721,2449476613,1307690,1307721,752404340,
>
> Note that it seems (with this protocol) that as there seems to be a
> variable number of same field and some are option (for instance the second
> opc/dpc set doesn't have a matching transactionId), I would include the
> field name in the output so:
>
> tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane
> '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc
> h248.transactionId);\
> foreach $f (@flist) {\
>  if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'
>
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
> m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
> m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
> m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
>
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
> m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,
>
>
> Regards, Martin
>
> MartinVisser99 () gmail com
>
> 2010/7/12 damker <damker () sina com>
>
>
>
>
>
> *发件人:* damker [mailto:damker () sina com]
> *发送时间:* 2010年7月12日 16:26
> *收件人:* 'Wireshark-users-request () wireshark org'
> *主题:* help,how to output specific fields in a complex packet using tshark
> command line
>
>
>
> Help
>
> The attachment is a packet captured in the Mc interface, there are 8 SCTP
> and upper layers, I want to output all the m3ua.protocol_data_opc,
> m3ua.protocol_data_dpc,h248.transactionId in every M3UA.
>
> If put the file in d:\temp\ and using the command line below:
>
>
>
> tshark -r d:\temp\MCNew.cap -T fields -E separator=, -e
> m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e h248.transactionId
> > d:\temp\h248.txt
>
>
>
> it output the last m3ua.protocol_data_opc,
> m3ua.protocol_data_dpc,h248.transactionId,not all. how to write a correct
> command line to output all the fields I want?
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request () wireshark org
> ?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe