Wireshark · Wireshark-dev: [Wireshark-dev] Help getting the "value" data instead of the "show" data from the pdml

Wireshark-dev: [Wireshark-dev] Help getting the "value" data instead of the "show" data from th

From: Michael Cochran <mdcrotu@xxxxxxxxx>

Date: Tue, 7 Apr 2009 14:52:15 -0700 (PDT)

Hello,

Currently when you run with the following options:
  tshark -i eth5 -T fields -e eth.dst -e eth.src -e eth.type -e data.data

You get the following output:
  00:80:52:00:00:00  00:80:52:00:ff:ff  0x814f  00:00:00:00:01:12:00:00

I can see that the "data" being selected from the pdml field (see pdml dump below) is the "show" data. But what I'd really like is the "value" data. This would give me a clean output without the "0x" or ":"'s in the data. Like this:
  008052000000  00805200ffff  814f  0000000001120000

Ideally it'd be nice if it was possible to select which of the formats of the field were output. I've been trying to figure out where I need to make the change to accomplish this but am having some difficulty. I know the output is coming from proto_tree_write_fields in print.c. But I don't understand the format of the tree that contains the data to retrieve.

Could someone point me in the right direction?

Much thanks,
Mike

Here is an example -T pdml dump a frame for reference:
<?xml version="1.0"?>
<pdml version="0" creator="wireshark/1.0.6">
<packet>
  <proto name="eth" showname="Ethernet II, Src: 00:80:52:00:ff:ff (00:80:52:00:ff:ff), Dst: 00:80:52:00:00:00 (00:80:52:00:00:00)" size="14" pos="0">
    <field name="eth.dst" showname="Destination: 00:80:52:00:00:00 (00:80:52:00:00:00)" size="6" pos="0" show="00:80:52:00:00:00" value="008052000000">
      <field name="eth.addr" showname="Address: 00:80:52:00:00:00 (00:80:52:00:00:00)" size="6" pos="0" show="00:80:52:00:00:00" value="008052000000"/>
      <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="008052"/>
      <field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="008052"/>
    </field>
    <field name="eth.src" showname="Source: 00:80:52:00:ff:ff (00:80:52:00:ff:ff)" size="6" pos="6" show="00:80:52:00:ff:ff" value="00805200ffff">
      <field name="eth.addr" showname="Address: 00:80:52:00:ff:ff (00:80:52:00:ff:ff)" size="6" pos="6" show="00:80:52:00:ff:ff" value="00805200ffff"/>
      <field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="008052"/>
      <field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="008052"/>
    </field>
    <field name="eth.type" showname="Type: Unknown (0x814f)" size="2" pos="12" show="0x814f" value="814f"/>
  </proto>
  <proto name="fake-field-wrapper">
    <field name="data" value="0000000001120000"/>
      <field name="data.data" showname="Data: 0000000001120000" size="8" pos="14" show="00:00:00:00:01:12:00:00" value="0000000001120000"/>
  </proto>
</packet>

Prev by Date: Re: [Wireshark-dev] How to turn off optimization while compiling Wireshark on linux?
Next by Date: Re: [Wireshark-dev] How to handle duplicate fragments for a plugin written on top of UDP?
Previous by thread: Re: [Wireshark-dev] Reassembling packets
Next by thread: Re: [Wireshark-dev] How to handle duplicate fragments for a plugin written on top of UDP?
Index(es):
- Date
- Thread