ANNOUNCEMENT: Live Wireshark University & Allegro Packets online APAC Wireshark Training Session
April 17th, 2024 | 14:30-16:00 SGT (UTC+8) | Online
Wireshark logo

Wireshark-dev: Re: [Wireshark-dev] Some fields output nothing, when using tshark with -T fields

Date Prev · Date Next · Thread Prev · Thread Next
Date Index · Thread Index · Other Months · All Mailing Lists
From: Nils <n.bruenggel@xxxxxxxxx>
Date: Mon, 21 Jan 2008 22:07:22 +0100
I had a look at the patch [1], which introduced -T fields, especially
at this file [2]. However I did not figure out why it outputs nothing
for some fields. As far as I can see, all the fields added with -e are
appended to the 'fields' struct within output_fields_add(..), but I
can't see where it gets the values for the fields (guess: in
proto_tree_get_node_field_values(..), but I don't understand this
function so far)

I would be glad if somebody else could have a look at this.

[1] http://anonsvn.wireshark.org/viewvc/viewvc.py?view=rev&revision=21211
[2] http://anonsvn.wireshark.org/viewvc/viewvc.py/trunk/print.c?r1=21211&r2=21210&pathrev=21211



On Jan 18, 2008 11:38 AM, Sake Blok <sake@xxxxxxxxxx> wrote:
> On Fri, Jan 18, 2008 at 10:48:48AM +0100, Nils wrote:
> > Thanks a lot for your quick replay!
> >
> > > In case of the field "tcp.analysis.retransmission" I think there
> > > is room for improvement. Even when this field is in the packet, no
> > > output is given. That is because this field does not have a value.
> > > It is either present or not.
> >
> > Is this because it's type is 'None'? I'll open a bug, but I would also
> > like to be able to fix this myself, I just don't have an idea where.
>
> In "tshark.c", the "function print_packet()" takes care of printing
> each packet. In case of -T fields (case WRITE_FIELDS:) the function
> "proto_tree_write_fields()" is used. This function resides in
> "print.c". This function walks through the tree and uses
> "proto_tree_get_node_field_values()" to fill in the values.
>
> I think this function needs to check for type "None" fields and
> insert some value when the field is present. Nice to hear that
> you want to fix this yourself, I hope this gives you some sense
> of direction :-)
>
>
> > Using filters currently is not an option, since I want to parse the
> > output of multiple fields automatically. With filters I would have to
> > run multiple instances of tshark AFAIK.
>
> I totally agree with you here...
>
>
> Cheers,
>     Sake
> _______________________________________________
> Wireshark-dev mailing list
> Wireshark-dev@xxxxxxxxxxxxx
> http://www.wireshark.org/mailman/listinfo/wireshark-dev
>
Wireshark logo footer

© Wireshark Foundation · Privacy Policy

Facebook·Mastodon·Twitter·YouTube