Wireshark

[Kevin Cullimore <kcullimo@xxxxxxxxxx>]

Tony Fortunato wrote:
> Hi  Sake,
>
> I was fumbling around tshark and was getting close, but you did a far better
> job than I did.  I was looking for the IP.id to correlate when I compare two
> trace files.
>
> I would prefer a way to do it in the GUI, but will do nicely.
>
>   
Given those specific requirements (ip header field, GUI) , why doesn't

Edit->Preferences->Columns->New->
Title: <arbitrary-text-string>
Format: Custom
Unlabeled text box to the right of the Format drop-down control: ip.id 
(display filter syntax appears to work, at least in this case)

->OK

meet your needs? Wireshark appears to both display & export the new column.

> Thanks
> -------------------------------------------------------
> Tony Fortunato, Sr Network Specialist 
> The Technology Firm 
> 905 702-0108
> www.thetechfirm.com
> Getting things to work better - bit by bit- 
>  
>
>
> -----Original Message-----
> From: Sake Blok [mailto:sake@xxxxxxxxxx] 
> Sent: Wednesday, May 21, 2008 2:20 PM
> To: 2008@xxxxxxxxxxxxxxx; Community support list for Wireshark
> Subject: Re: [Wireshark-users] Packet List Display
>
> On Wed, May 21, 2008 at 05:16:47PM +0200, Sake Blok wrote:
>   
> > On Wed, May 21, 2008 at 09:16:36AM -0400, Tony Fortunato wrote:
> >     
> > > - I wanted to see (and ideally export) the Packet List with the IP 
> > > info as the displayed protocol, even if Wireshark can decode the higher
> > >       
> protocols.
>   
> > If I understand you correctly you want the Info column to display the 
> > values as if IP was the last layer that was dissected by Wireshark?
> >
> > I thought that would be possible to achieve by disabling all protocols 
> > and then enabling only Ethenet and IP. But unfortunately the IP 
> > dissector then just displays: "TCP (0x06)".
> >     
>
> Hmmm... I looked at epan/dissectors/packet-ip.c and it shows that only
> exceptions are put into the "Info Column". This makes sense as IP will never
> be the last protocol, there will always be a protocol on top of it. If it
> doesn't that protocol, it will just show "<name> (<proto-id>)".
>
>   
> > When I disable the HTTP dissector, the Info Column will indeed show 
> > the TCP info like there was no upper layer present.
> >
> > Do you want the IP dissector to behave in the same manner? 
> > (ie showing IP details in the Info Column when the upper layer 
> > protocol dissectors are disabled)
> >     
>
> What info do you want exactly? I think you can use tshark to accomplish your
> goal. Let's have a try..
>
> $ tshark -r trees.cap -T fields -e frame.number -e frame.time_relative -e
> ip.src -e ip.dst -e ip.len -e ip.id -e ip.ttl -e ip.proto  -e ip.checksum -E
> header=y 
>  frame.number    frame.time_relative     ip.src  ip.dst  ip.len  ip.id
> ip.ttl  ip.proto        ip.checksum
>  1       0.000000000     213.84.244.33   213.206.125.36  40      0xfed7  120
> 0x06    0xe78e
>  2       0.037319000     213.206.99.118  213.206.125.35  128     0x2ed6  59
> 0x32    0xc43f
>  3       1.018455000     213.206.125.36  213.84.244.33   136     0xa817  63
> 0x06    0x76ef
>  4       1.231212000     213.84.244.33   213.206.125.36  40      0xfed8  120
> 0x06    0xe78d
>  5       2.820017000     213.84.244.33   213.206.125.36  88      0xfed9  120
> 0x06    0xe75c
>  6       2.854071000     213.206.125.36  213.84.244.33   40      0xa818  63
> 0x06    0x774e
>  7       2.968476000     213.84.244.33   213.206.125.36  88      0xfeda  120
> 0x06    0xe75b
>  8       2.969336000     213.206.125.36  213.84.244.33   40      0xa819  63
> 0x06    0x774d
>  9       2.971973000     213.206.125.36  213.84.244.33   344     0xa81a  63
> 0x06    0x761c
>
> Does something like that fit your needs?
>
> Cheers,
>     Sake
>
> _______________________________________________
> Wireshark-users mailing list
> Wireshark-users@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-users
>
>
>