Great. The latter would work good for me. remember the header value. How
long do you think it would take to do this?, and how will I know when it's
available
Meanwhile, how did you do the delimiter in -o column format?
-w doen't have text output option that's why I use >
Any idea if point 3 below is possible.
From: "Rob MacKenzie" <rmackenzie@xxxxxxx>
Date: Mon, 2 Jun 2008 10:44:50 -0400
I know your problem. I am looking at providing a patch soon, but I
haven't decided to if I should modify the -o column.output or add
options for %i style info into -T feilds. Probably the latter.
In the mean-time, I just added a hardcoded delimiter to a custom version
of Tshark I compiled for the -o column.format method.
For the custom fields, check to make sure you are running at least 1.0.0
of Tshark, as it was recently added. Also, you should be using -T
fields, not -t text. Lastly, it might be easier to use -w for
outputting the -T fields to a file then using stout redirection
From Andrew Cuthbertson
1. I want to get data out in a delimited format to load into a
spreadsheet/database for custom reporting and analysis.
2. I would like to be able to get the data value and the decoded value.
eg tcp.port value is 80, decoded value is http
3. I would like to see if the packets are marked by a specified analysis
flag, eg tcp.analysis.retransmission
