Wireshark mailing list archives
Re: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex packet using tshark command line
From: Martin Visser <martinvisser99 () gmail com>
Date: Wed, 14 Jul 2010 07:21:18 +1000
Damker, If there are "missing" fields, then you need to allow for that in how you are using it. I know very little about H.248, I can only assume that the transaction ID is optional hence why it is missing from some of the PDUs. Wireshark only ever displays what it finds in the packet, not what is not there. Regards, Martin MartinVisser99 () gmail com On Tue, Jul 13, 2010 at 7:35 PM, damker <damker () sina com> wrote:
Yes, it’s in Windows CMD, in CMD the syntax recommend to use double quote(“), or it will return error like that: Can't find string terminator "'" anywhere before EOF at -e line 1. Using that line in CMD: tshark.exe -T pdml -r "MCNew.cap" | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print $f,':',$1,',';}}" the result is the same you got before: m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431, m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323, m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409, m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340, but I thought that if the result is like that m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431, m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323, m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409, m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340, it will be more easily used by other program. *发件人:* wireshark-users-bounces () wireshark org [mailto: wireshark-users-bounces () wireshark org] *代表 *Martin Visser *发送时间:* 2010年7月13日 14:28 *收件人:* Community support list for Wireshark *主题:* Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line I think you have a shell substitution problem. (I was doing this in Cygwin on Windows, which would be compatible with Linux/UNIX shells), but I am guess you are doing this in Windows CMD. I noticed you changed my single quote (') to a double quote (") after perl -ane and at the end. Can you leave these as a single quote? Otherwise you might need to escape the characters that seemed to have gone missing so "$f:$1," becomes "$f\:$1\," (or something like that) Sorry, but Windows CMD does some strange (hence why those in the know use Cygwin if they have to do this thing on Windows). Alternately you can put everything in a self-contained Perl script, and not have to understand the Windows command shell idiosyncrasies. Regards, Martin MartinVisser99 () gmail com On Tue, Jul 13, 2010 at 2:13 PM, damker <damker () sina com> wrote: Thanks, the theory is ok, but something others happened. My OS is WIN7+ActivePerl 5.10, When using tshark.exe -T pdml -r "d:\temp\MCNew.cap" | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}" > d:\temp\mcnew.txt error reported: syntax error at -e line 1, near "$f:" Execution of -e aborted due to compilation errors. tshark: An error occurred while printing packets: Invalid argument. When using tshark.exe -T pdml -r "d:\temp\MCNew.cap" | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f,$1,";}}" > d:\temp\mcnew.txt result is: m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2046823431m3ua.protocol_data_opc1310708m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3825208323m3ua.protocol_data_opc1307719m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3288337409m3ua.protocol_data_opc1307817m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2449476613m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId752404340 there is no char “,”,any suggestion to solve this? *发件人:* wireshark-users-bounces () wireshark org [mailto: wireshark-users-bounces () wireshark org] *代表 *Martin Visser *发送时间:* 2010年7月13日 8:03 *收件人:* Community support list for Wireshark *主题:* Re: [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line Unfortunately each -e field only matches a single instance. You are better off parsing the PDML output, that outputs all of the fields by iterating through the field. I have created a perl one-liner that can do this:- tshark.exe -T pdml -r "MCNew.cap" | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\ foreach $f (@flist) {\ if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}' Output is: 1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323, 1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690, 1307721,2449476613,1307690,1307721,752404340, Note that it seems (with this protocol) that as there seems to be a variable number of same field and some are option (for instance the second opc/dpc set doesn't have a matching transactionId), I would include the field name in the output so: tshark.exe -T pdml -r "MCNew.cap" | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\ foreach $f (@flist) {\ if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}' m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431, m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323, m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409, m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340, Regards, Martin MartinVisser99 () gmail com 2010/7/12 damker <damker () sina com> *发件人:* damker [mailto:damker () sina com] *发送时间:* 2010年7月12日 16:26 *收件人:* 'Wireshark-users-request () wireshark org' *主题:* help,how to output specific fields in a complex packet using tshark command line Help The attachment is a packet captured in the Mc interface, there are 8 SCTP and upper layers, I want to output all the m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId in every M3UA. If put the file in d:\temp\ and using the command line below: tshark -r d:\temp\MCNew.cap -T fields -E separator=, -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e h248.transactionIdd:\temp\h248.txtit output the last m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId,not all. how to write a correct command line to output all the fields I want? ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org ?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- question, how to output specific fields in a complex packet using tshark command line damker (Jul 12)
- Very strange SSH probe Michael Glenn (Jul 12)
- Re: Very strange SSH probe Martin Visser (Jul 12)
- Re: Very strange SSH probe Andrew Hood (Jul 12)
- Re: question, how to output specific fields in a complex packet using tshark command line Martin Visser (Jul 12)
- 答复: question, how to output specific fields in a complex packet using tshark command line damker (Jul 12)
- Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line Martin Visser (Jul 12)
- 答复: 答复: question, how to output specific fields in a complex packet using tshark command line damker (Jul 13)
- Re: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex packet using tshark command line Martin Visser (Jul 13)
- 答复: question, how to output specific fields in a complex packet using tshark command line damker (Jul 12)
- Very strange SSH probe Michael Glenn (Jul 12)