On Sun, May 18, 2008 at 02:30:35PM +0200, Elof Ofel wrote:
>
> >> 1. Where do I find a reference of the most useful field keywords to use?
> (for the -e option)
>
> Yeah, I found the complete list, but as you say, it was overwhelming.
> I understand it is a boring job to create a heavily reduzed version of
> this reference list, but if people is really to use the -e option, I
> think such list is needed. :-)
Well, the names are the same names as used in Wireshark, so you can
always use Wireshark to get the proper names of certain fields you
want to display in Tshark. You can find out about field-names in several
ways:
- Select some protocol value in the packet detail list and the fieldname
is shown in the status-bar
- Rightclick on some protocol value in the packet detail list and choose
"Filter Field Reference". This will take you to the wiki-page
with all filter fields of that protocol.
- Rightclick on some protocol value in the packet detail list and choose
"copy -> as filter". This will create a display filter with the selected
field in the copy buffer. You can use the field from the filter.
> > 2) We could add a command-line option to configure the columns to be
> > displayed - that would let you get rid of the time stamp column, and, in
> > combination with the "custom columns" feature, that would let you add
> > columns for fields such as packet lengths and the TTL.
>
> That would be just great!
This is already there, although it's a bit cryptic. You can use the
"-o <preference>:<value>" option of Tshark to change a preference.
Since the columns that are displayed are also a preference, you can
change them. For example:
tshark -o column.format:'"No.", "%m", "Time", "%t", "Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD", "len", "%L", "Protocol", "%p", "Info", "%i"' -r tmp.cap
would add the port numbers to the output.
Added to that that it's now possible to add any field to the -Ttext output
by using '"<title>", "%Cus:<fieldname>"' this gives you about all the
flexibility you want.
If you use some column setting quite a lot, you can chose to use the
"configuration profiles" option (-C). This option will make Tshark
look for it's preferences in a subdirectory of the preferences directory.
That way you can prepare a preference file with the column setting
and use that on the fly.
> Suggested solutions:
> 1.
> Add the option '-t n' as in "none"
You can omit the time column from the column preference, but it might
be a nice feature to have the commandline switch for it as well. You could
file this as an enhancement request on http://bugs.wireshark.org
> 2.
> -C do not show the first column with the frame number
I personally do not want to skip the frame number, it makes discussion
of finding very hard. But you can skip it with the column preference if
needed.
> 3.
> Use multiple -V's for verboseness:
> <none> = normal one-line-summary text output
> -V = view the full decoded packet (as normal)
> -VV = one-line-summary list but with some additional information on
> each line
> Normally I do *not* need the heavy duty verboseness of tcpdump -ev,
> like correct checksums, correct tcp sequence numbers, window scaling,
> internal packet timestamps, fragmentation offsets, etc. This kind of
> verboseness would be nice to have if you add yet an additional 'V':
> -VVV = show the default one-line-summary list but with lots of
> additional information on each line
Well, that can be solved with creating other configuration profiles with
column preferences that have all the fields you want to have added
for that profile :-)
> Oh, and speaking of improvements:
> When I use the option -c5, I expect to get exactly 5 packets. Currently
> I can get more than a screenful. This is just confusing. :-)
I think you run into a bug I ran into earlier. The -c option did not work
correctly when a display filter was used. Please use a recent development
build to see if my fix works for you as well...
(see: http://www.wireshark.org/download/automated/ )
> That covers the basic functions that today make me use tcpdump instead
> of tshark.
I always like to have multiple tools available, but I think tshark can
do most (if not all) of what you want quite nicely with all the features
it has at the moment.
Feel free to suggest other cool new features you can think of :-)
Cheers,
Sake
