Wireshark · Wireshark-dev: Re: [Wireshark-dev] tshark -T fields

[Martin Visser <martinvisser99@xxxxxxxxx>]

Doug and Peter,

This is basically the same question as Damker's post which I have responded to here - http://www.wireshark.org/lists/wireshark-users/201007/msg00108.html

Unfortunately each -e field only matches a single instance. You are 
better off parsing the PDML output, that outputs all of the fields by 
iterating through the field. I have created a perl one-liner that can do
 this:-

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane 
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc 
h248.transactionId);\
foreach $f (@flist) {\
 if(/field 
name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'

Output is:

1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,

Note
 that it seems (with this protocol) that as there seems to be a variable
 number of same field and some are option (for instance the second 
opc/dpc set doesn't have a matching transactionId), I would include the 
field name in the output so:

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane 
'@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc 
h248.transactionId);\
foreach $f (@flist) {\
 if(/field 
name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,

m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,
 

Regards, Martin


Regards, Martin

MartinVisser99@xxxxxxxxx

On Mon, Jul 12, 2010 at 10:42 PM, Douglas Wood <doug.wood@xxxxxxxx> wrote:

I have created a modified version of Wireshark in which I produce tab
delimited files that actually aggregates multiple instances of particular
fields.  In fact, the output can become way too voluminous, but, it is much
faster to process these tab delimited files than the PDML output.
Especially when there are 100,000's of packets.

I will attest that the aggregation of multiple instances of a field is
pretty tricky.  I wouldn't mind working with somebody else to try to
generalize what I have done.

Doug

Peter Gordon wrote:
> tshark can be used to display fields using the -T option.
> If the same field occurs a number of times within a protocol,
> only one value ( the last ) gets displayed.
>
> As far as I can see the error looks like it comes from the
> routine proto_tree_write_fields.
>
> The -T pdml option gives the correct output, but is too voluminous.
>
> Can anyone help with a fix?

There's at least one bug for that:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3818

It was discussed quite a bit at Sharkfest this year too--there seemed to
be quite a bit of interest in finding a way to fix it.  (But: as
evidenced by the fact that there is so much interest and it hasn't been
done yet, it's non-trivial to implement.)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe