Wireshark-users: Re: [Wireshark-users] Help needed controlling tshark output format
From: "Rob MacKenzie" <[email protected]>
Date: Mon, 2 Jun 2008 10:44:50 -0400
I know your problem.  I am looking at providing a patch soon, but I
haven't decided to if I should modify the -o column.output or add
options for %i style info into -T feilds.  Probably the latter.

In the mean-time, I just added a hardcoded delimiter to a custom version
of Tshark I compiled for the -o column.format method.

For the custom fields, check to make sure you are running at least 1.0.0
of Tshark, as it was recently added.  Also, you should be using -T
fields, not -t text.  Lastly, it might be easier to use -w for
outputting the -T fields to a file then using stout redirection.

Rob MacKenzie
Advanced Connectivity Developer
-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Andrew
Cuthbertson
Sent: June 2, 2008 10:12 AM
To: [email protected]
Subject: [Wireshark-users] Help needed controlling tshark output format

Hello

I have a few questions about getting text information out of tshark and
hope
someone can help as I am new to this.

1. I want to get data out in a delimited format to load into a
spreadsheet/database for custom reporting and analysis.
2. I would like to be able to get the data value and the decoded value.
eg
tcp.port value is 80, decoded value is http
3. I would like to see if the packets are marked by a specified analysis
flag, eg tcp.analysis.retransmission

>From what I can see there are 2 main formats
Example A. tshark.exe" -o column.format:""No.", "%m", "Time", "%t",
"Source", "%s", "Destination", "%d", "srcport", "%uS", "dstport", "%uD",
"len", "%L", "Protocol", "%p", "Info", "%i", "expert","%a"" -r
e:\temp\wstest\test.enc > e:\temp\wstest\testout.txt
using % values

Example B. "C:\Program Files\Wireshark\tshark.exe" -T text -E
separator=; -E
header=y -Tfields -e frame.number -e frame.time -e frame.time_delta -e
frame.pkt_len -e frame.protocols -e eth.src -e ip.src -e tcp.srcport -e
eth.dst -e ip.dst -e tcp.dstport -e tcp.seq -e tcp.nxtseq -e tcp.ack -e
tcp.window_size -e tcp.flags -e tcp.flags.push -e tcp.flags.ack -e
tcp.flags.syn -e tcp.flags.reset -r e:\temp\wstest\test.enc >
e:\temp\wstest\testout.txt

>From Example A
A1 bad: I understand from other threads that it is not possible to have
specified a delimiter using this format
A2 bad: I understand with this format it is possible to to add fields as
per
display filter fields. The example I found is "Len", "%Cus:tcp.len".
unfortunatly I have not been able to get it work on this or any other
fields
using dos window or cywin.
A3 good: decoded value is available for many fields

>From Example B
B1 good: output can have all fields as per normal display filters
B2 good: I can have a delimiter
B3 bad: no flag is set for tcp.analysis.retransmission field even when
you
apply the tcp.analysis.retransmission filter to only get retransmitted
packets. If this flag had been set this way then I would OR this filter
with
frame.number>0 to get all packets and have the flag set on the relevant
frams.
B4 bad: I cannot find how to get the decodes value of the field.
B5 I would like something like %i value from the Example A format. Is it
possible to use the % values in the Example B command line.

I know there are a few different questions here and any help with the
above
would be appreciated. There may of course be better ways to approach
this in
which case please point me in the right direction.

My ideal solution is like Example B with a value in fields like -e
tcp.analysis.retransmission and being able to add %fields from Example A

Kind regards

Andrew Cuthbertson
Email: [email protected]


_______________________________________________
Wireshark-users mailing list
[email protected]
http://www.wireshark.org/mailman/listinfo/wireshark-users

---------------------------------------------------------------------
This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.