Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-bugs: [Wireshark-bugs] [Bug 10284] New: _ws.col.Info field contains non-escaped quotes

Date: Wed, 16 Jul 2014 00:03:15 +0000
Bug ID 10284
Summary _ws.col.Info field contains non-escaped quotes (for mDNS protocol, at least)
Classification Unclassified
Product Wireshark
Version 1.11.x (Experimental)
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Major
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected]

Build Information:
TShark 1.11.3 (v1.11.3-0-g1dd5d3a from master)

Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, with
SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, without Python, with GnuTLS
2.12.18,
with Gcrypt 1.4.6, without Kerberos, with GeoIP.

Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
      Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz, with 8133MB of physical
memory.

Built using Microsoft Visual C++ 10.0 build 40219

--
The _ws.col.Info field sometimes contains double quotes ("). This is the case
for mDNS, and perhaps other protocols. This breaks CSV parsers, since they
recognize double quotes as the field delimiter. Note, using -E quote=d is
typically necessary when creating valid CSV from tshark many output fields from
tshark can contain a comma.

Sample of problem (note the "QM" inside the _ws.col.Info field): 
tshark -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E
separator=, -E header=y -E quote=d -Y "dns"
frame.number,_ws.col.Protocol,_ws.col.Info
"179","MDNS","Standard query 0x0000  PTR _googlecast._tcp.local, "QM" question"
"183","MDNS","Standard query 0x0000  PTR _googlecast._tcp.local, "QM" question"

Desired output:
tshark -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E
separator=, -E header=y -E quote=d -Y "dns"
frame.number,_ws.col.Protocol,_ws.col.Info
"179","MDNS","Standard query 0x0000  PTR _googlecast._tcp.local, QM question"
"183","MDNS","Standard query 0x0000  PTR _googlecast._tcp.local, QM question"

I recommend ensuring that double quotes are never placed inside of a tshark
output field, to include the _ws.col fields. Is this an issue with the mDNS
dissector?


You are receiving this mail because:
  • You are watching all bug changes.