Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.
Wireshark logo

Wireshark-users: [Wireshark-users] Combining Info and -T fields in tshark

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: "James Talbut" <James.Talbut@xxxxxxxxx>
Date: Sat, 20 Sep 2008 12:11:19 +0100
Hi,
 
I'd want to be able to produce an easily parsable output from tshark that includes the Information column.
 
I've seen this come up in mailing lists many times, but I don't know if anyone is working on a proper fix for it.
At the moment the -T text output is difficult to parse - being neither fixed width nor delimited, inserting extra "=>" between fields and padding some fields a bit, but still leaving them variable length.
So I'd much rather work with the -T fields output, but that doesn't include the Information field.
My parsing (in python) currently works, but only has one "difficult" column (info), I need to get at thing like the http.authbasic field too.
 
Having had a brief look at the code there seem to be a number of options:
1. Introduce configurable delimiters to the -T text output.
   One easy option for this might be to introduce a new column a bit like the %cus column but that allowed the direct placement of text "%text:\t"
   The output would still have extraneous spaces in it, but they can easily be stripped after the splitting.
2. Make all the columns available as fields that -T can use: -e column.info
3. Quick fix: allow the combination of both -T fields and -T text.
 
The last one seems to be trivial to do, but the second one is, IMO, much more desirable.
 
Q1. Is anyone working on this? 
Are there any patches available? Is there even a bug for it (I couldn't find one)?
 
Q2. I could make a patch that does the third option (it would always do the fields first, and then follow with the columns) - is there any interest in such a patch?
I'm afraid I don't have the time to take on either of the other options, though I'd love to see them in there.
 
Thanks.
 
Jim
P Consider the environment. Please don't print this email.

________________________________________________________________________
This e-mail, and any attachment, is confidential. If you have received it in error, do not use or disclose the information in any way, notify me immediately, and please delete it from your system.
________________________________________________________________________
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube