On Fri, Jan 18, 2008 at 10:48:48AM +0100, Nils wrote:
> Thanks a lot for your quick replay!
>
> > In case of the field "tcp.analysis.retransmission" I think there
> > is room for improvement. Even when this field is in the packet, no
> > output is given. That is because this field does not have a value.
> > It is either present or not.
>
> Is this because it's type is 'None'? I'll open a bug, but I would also
> like to be able to fix this myself, I just don't have an idea where.
In "tshark.c", the "function print_packet()" takes care of printing
each packet. In case of -T fields (case WRITE_FIELDS:) the function
"proto_tree_write_fields()" is used. This function resides in
"print.c". This function walks through the tree and uses
"proto_tree_get_node_field_values()" to fill in the values.
I think this function needs to check for type "None" fields and
insert some value when the field is present. Nice to hear that
you want to fix this yourself, I hope this gives you some sense
of direction :-)
> Using filters currently is not an option, since I want to parse the
> output of multiple fields automatically. With filters I would have to
> run multiple instances of tshark AFAIK.
I totally agree with you here...
Cheers,
Sake
