Wireshark-users: Re: [Wireshark-users] Help needed controlling tshark output format

From: "Andrew Cuthbertson" <cuthbertson@xxxxxxxxxxxxx>
Date: Wed, 4 Jun 2008 09:11:14 +0200

Great. The latter would work good for me. remember the header value. How
long do you think it would take to do this?, and how will I know when it's
available
Meanwhile, how did you do the delimiter in -o column format?
-w doen't have text output option that's why I use >
Any idea if point 3 below is possible.


From: "Rob MacKenzie" <rmackenzie@xxxxxxx>
Date: Mon, 2 Jun 2008 10:44:50 -0400

I know your problem.  I am looking at providing a patch soon, but I
haven't decided to if I should modify the -o column.output or add
options for %i style info into -T feilds.  Probably the latter.

In the mean-time, I just added a hardcoded delimiter to a custom version
of Tshark I compiled for the -o column.format method.

For the custom fields, check to make sure you are running at least 1.0.0
of Tshark, as it was recently added.  Also, you should be using -T
fields, not -t text.  Lastly, it might be easier to use -w for
outputting the -T fields to a file then using stout redirection

	From Andrew Cuthbertson
	1. I want to get data out in a delimited format to load into a
	spreadsheet/database for custom reporting and analysis.
	2. I would like to be able to get the data value and the decoded value.
	eg tcp.port value is 80, decoded value is http
	3. I would like to see if the packets are marked by a specified analysis
	flag, eg tcp.analysis.retransmission