On Thu, Jan 17, 2008 at 04:19:52PM +0100, Nils wrote:
>
> Some fields output nothing, when tshark is used with the -T fields
> option, for example tcp.analysis.retransmission [1] I first thought
> that this is because it's type is 'None', then I saw that this is also
> the case for other fields, like tcp.analysis.duplicate_ack_num.
In the latter case, "tcp.analysis.duplicate_ack_num", you should
see some values. But only for the packets that have that field.
The easiest example would be that when you do something like
tshark -r <file> -T fields -e tcp.srcport -e udp.srcport
Would only have one column filled in, depending on whether
the packet contains tcp or udp. There will be no output
when the packet contains neither tcp nor udp. The same
counts for "tcp.analysis.duplicate_ack_num", not every
tcp-packet is a duplicate packet, therefor not every
packet has a field by that name.
In case of the field "tcp.analysis.retransmission" I think there
is room for improvement. Even when this field is in the packet, no
output is given. That is because this field does not have a value.
It is either present or not. You can neither build a filter
"tcp.analysis.retransmission == 1"
It would indeed be nice if the presence of the field would somehow
be shown in the "tshark -T fields" output.
Could you open an enhancement request on bugzilla.wireshark.org
for this issue so that it won't be forgotten?
Cheers,
Sake
