Wireshark-users: Re: [Wireshark-users] Help needed controlling tshark output format
From: "Rob MacKenzie" <[email protected]>
Date: Wed, 4 Jun 2008 16:52:43 -0400

Sorry for delay, I was caught up today with side projects.

For our project, I needed something fast, so I setup the development
environment and just removed a bunch of code that makes the output look
nice, and replaced it with code that put in a specific delimiter.  If
you look at the source of tshark.c it's trivial.  Look at like 2700,
there is a switch statement that does the work.  I just replaced the
whole damned thing with    strcat(line_bufp + buf_offset, " ");
        buf_offset += 1;

and it works, albeit a hacky solution.

If you want, I can provide the binary file I created (I'm about to
recompile with a ';' delimiter, I can also do another if you prefer)

I should be able to create a proper version and patch by Monday,
provided my other projects don't go awry.

Rob MacKenzie
Advanced Connectivity Developer

-----Original Message-----
From: [email protected]
[mailto:[email protected]] On Behalf Of Andrew
Sent: June 4, 2008 3:11 AM
To: [email protected]
Subject: Re: [Wireshark-users] Help needed controlling tshark output

Great. The latter would work good for me. remember the header value. How
long do you think it would take to do this?, and how will I know when
Meanwhile, how did you do the delimiter in -o column format?
-w doen't have text output option that's why I use >
Any idea if point 3 below is possible.

From: "Rob MacKenzie" <[email protected]>
Date: Mon, 2 Jun 2008 10:44:50 -0400

I know your problem.  I am looking at providing a patch soon, but I
haven't decided to if I should modify the -o column.output or add
options for %i style info into -T feilds.  Probably the latter.

In the mean-time, I just added a hardcoded delimiter to a custom version
of Tshark I compiled for the -o column.format method.

For the custom fields, check to make sure you are running at least 1.0.0
of Tshark, as it was recently added.  Also, you should be using -T
fields, not -t text.  Lastly, it might be easier to use -w for
outputting the -T fields to a file then using stout redirection

	From Andrew Cuthbertson
	1. I want to get data out in a delimited format to load into a
	spreadsheet/database for custom reporting and analysis.
	2. I would like to be able to get the data value and the decoded
	eg tcp.port value is 80, decoded value is http
	3. I would like to see if the packets are marked by a specified
	flag, eg tcp.analysis.retransmission

Wireshark-users mailing list
[email protected]

This transmission (including any attachments) may contain confidential information, privileged material (including material protected by the solicitor-client or other applicable privileges), or constitute non-public information. Any use of this information by anyone other than the intended recipient is prohibited. If you have received this transmission in error, please immediately reply to the sender and delete this information from your system. Use, dissemination, distribution, or reproduction of this transmission by unintended recipients is not authorized and may be unlawful.