Wireshark-dev: Re: [Wireshark-dev] tshark -T fields
From: Martin Visser <[email protected]>
Date: Tue, 13 Jul 2010 10:09:57 +1000
Doug and Peter,

This is basically the same question as Damker's post which I have responded to here - http://www.wireshark.org/lists/wireshark-users/201007/msg00108.html

Unfortunately each -e field only matches a single instance. You are better off parsing the PDML output, that outputs all of the fields by iterating through the field. I have created a perl one-liner that can do this:-

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'

Output is:

1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,

Note that it seems (with this protocol) that as there seems to be a variable number of same field and some are option (for instance the second opc/dpc set doesn't have a matching transactionId), I would include the field name in the output so:

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,

Regards, Martin


Regards, Martin

[email protected]


On Mon, Jul 12, 2010 at 10:42 PM, Douglas Wood <[email protected]> wrote:
I have created a modified version of Wireshark in which I produce tab
delimited files that actually aggregates multiple instances of particular
fields.  In fact, the output can become way too voluminous, but, it is much
faster to process these tab delimited files than the PDML output.
Especially when there are 100,000's of packets.

I will attest that the aggregation of multiple instances of a field is
pretty tricky.  I wouldn't mind working with somebody else to try to
generalize what I have done.

Doug



Peter Gordon wrote:
> tshark can be used to display fields using the -T option.
> If the same field occurs a number of times within a protocol,
> only one value ( the last ) gets displayed.
>
> As far as I can see the error looks like it comes from the
> routine proto_tree_write_fields.
>
> The -T pdml option gives the correct output, but is too voluminous.
>
> Can anyone help with a fix?

There's at least one bug for that:

https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3818

It was discussed quite a bit at Sharkfest this year too--there seemed to
be quite a bit of interest in finding a way to fix it.  (But: as
evidenced by the fact that there is so much interest and it hasn't been
done yet, it's non-trivial to implement.)
___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:[email protected]?subject=unsubscribe

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <[email protected]>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
            mailto:[email protected]?subject=unsubscribe