Tony Fortunato wrote:
Hi Sake,
I was fumbling around tshark and was getting close, but you did a far better
job than I did. I was looking for the IP.id to correlate when I compare two
trace files.
I would prefer a way to do it in the GUI, but will do nicely.
Given those specific requirements (ip header field, GUI) , why doesn't
Edit->Preferences->Columns->New->
Title: <arbitrary-text-string>
Format: Custom
Unlabeled text box to the right of the Format drop-down control: ip.id
(display filter syntax appears to work, at least in this case)
->OK
meet your needs? Wireshark appears to both display & export the new column.
Thanks
-------------------------------------------------------
Tony Fortunato, Sr Network Specialist
The Technology Firm
905 702-0108
www.thetechfirm.com
Getting things to work better - bit by bit-
-----Original Message-----
From: Sake Blok [mailto:sake@xxxxxxxxxx]
Sent: Wednesday, May 21, 2008 2:20 PM
To: 2008@xxxxxxxxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Packet List Display
On Wed, May 21, 2008 at 05:16:47PM +0200, Sake Blok wrote:
On Wed, May 21, 2008 at 09:16:36AM -0400, Tony Fortunato wrote:
- I wanted to see (and ideally export) the Packet List with the IP
info as the displayed protocol, even if Wireshark can decode the higher
protocols.
If I understand you correctly you want the Info column to display the
values as if IP was the last layer that was dissected by Wireshark?
I thought that would be possible to achieve by disabling all protocols
and then enabling only Ethenet and IP. But unfortunately the IP
dissector then just displays: "TCP (0x06)".
Hmmm... I looked at epan/dissectors/packet-ip.c and it shows that only
exceptions are put into the "Info Column". This makes sense as IP will never
be the last protocol, there will always be a protocol on top of it. If it
doesn't that protocol, it will just show "<name> (<proto-id>)".
When I disable the HTTP dissector, the Info Column will indeed show
the TCP info like there was no upper layer present.
Do you want the IP dissector to behave in the same manner?
(ie showing IP details in the Info Column when the upper layer
protocol dissectors are disabled)
What info do you want exactly? I think you can use tshark to accomplish your
goal. Let's have a try..
$ tshark -r trees.cap -T fields -e frame.number -e frame.time_relative -e
ip.src -e ip.dst -e ip.len -e ip.id -e ip.ttl -e ip.proto -e ip.checksum -E
header=y
frame.number frame.time_relative ip.src ip.dst ip.len ip.id
ip.ttl ip.proto ip.checksum
1 0.000000000 213.84.244.33 213.206.125.36 40 0xfed7 120
0x06 0xe78e
2 0.037319000 213.206.99.118 213.206.125.35 128 0x2ed6 59
0x32 0xc43f
3 1.018455000 213.206.125.36 213.84.244.33 136 0xa817 63
0x06 0x76ef
4 1.231212000 213.84.244.33 213.206.125.36 40 0xfed8 120
0x06 0xe78d
5 2.820017000 213.84.244.33 213.206.125.36 88 0xfed9 120
0x06 0xe75c
6 2.854071000 213.206.125.36 213.84.244.33 40 0xa818 63
0x06 0x774e
7 2.968476000 213.84.244.33 213.206.125.36 88 0xfeda 120
0x06 0xe75b
8 2.969336000 213.206.125.36 213.84.244.33 40 0xa819 63
0x06 0x774d
9 2.971973000 213.206.125.36 213.84.244.33 344 0xa81a 63
0x06 0x761c
Does something like that fit your needs?
Cheers,
Sake
_______________________________________________
Wireshark-users mailing list
Wireshark-users@xxxxxxxxxxxxx
http://www.wireshark.org/mailman/listinfo/wireshark-users
