ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
July 17th, 2024 | 10:00am-11:55am SGT (UTC+8) | Online
Wireshark logo

Wireshark-bugs: [Wireshark-bugs] [Bug 12161] New: tshark displays MATE fields in frames differen

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: bugzilla-daemon@xxxxxxxxxxxxx
Date: Tue, 23 Feb 2016 14:37:14 +0000
Bug ID 12161
Summary tshark displays MATE fields in frames differently from Wireshark, use of -2 (two-pass handling) removes them completely instead of helping it
Product Wireshark
Version 2.0.1
Hardware x86
OS Windows 7
Status UNCONFIRMED
Severity Normal
Priority Low
Component TShark
Assignee [email protected]
Reporter [email protected] 

Created attachment 14352 [details]
a sample capture of a SUBSCRIBE-initiated SIP dialog

Build Information:
Version 2.0.1 (v2.0.1-0-g59ea380 from master-2.0)

Copyright 1998-2015 Gerald Combs <[email protected]> and contributors.
License GPLv2+: GNU GPL version 2 or later
<http://www.gnu.org/licenses/old-licenses/gpl-2.0.html>
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled (64-bit) with Qt 5.3.2, with WinPcap (4_1_3), with libz 1.2.8, with
GLib 2.42.0, with SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, with GnuTLS
3.2.15, with Gcrypt 1.6.2, with MIT Kerberos, with GeoIP, with QtMultimedia,
with AirPcap.

Running on 64-bit Windows 7 Service Pack 1, build 7601, with locale C, with
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version
1.0 branch 1_0_rel0b (20091008), with GnuTLS 3.2.15, with Gcrypt 1.6.2, without
AirPcap.
       Intel(R) Core(TM) i5-3210M CPU @ 2.50GHz (with SSE4.2), with 8141MB of
physical memory.


Built using Microsoft Visual C++ 12.0 build 31101
--
If the attached MATE configuration file is used, Wireshark shows mate.sip.Time
in for all frames of the attached capture file.

When the same capture file is processed by tshark using

tshark -r "subscribe_notify_filtered.pcapng" -T fields -e frame.number -e
sip.CSeq -e mate.sip.Time

the third parameter is only shown since it has become available, i.e. for
frames 4 and 5, which is expected.

If I add   -Y sip   (alone) to tshark parameters, the output does not change,
which is still expected.

However:
- if I add   -2   (alone) to tshark parameters, the output does not change
which is already weird itself
- if I add   -2 -Y sip   (or   -2 -Y udp   , doesn't matter) to tshark
parameters, mate.sip.Time is not shown for any of the packets
- if I add   -2 -R sip   (or   -2 -R udp   , doesn't matter) to tshark
parameters, mate.sip.Time is not shown for any of the packets

You are receiving this mail because:
  • You are watching all bug changes.
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube