Wireshark-users: Re: [Wireshark-users] Packet List Display
From: Kevin Cullimore <[email protected]>
Date: Fri, 06 Jun 2008 03:23:13 -0400
Tony Fortunato wrote:
Hi  Sake,

I was fumbling around tshark and was getting close, but you did a far better
job than I did.  I was looking for the IP.id to correlate when I compare two
trace files.

I would prefer a way to do it in the GUI, but will do nicely.

Given those specific requirements (ip header field, GUI) , why doesn't

Title: <arbitrary-text-string>
Format: Custom
Unlabeled text box to the right of the Format drop-down control: ip.id (display filter syntax appears to work, at least in this case)

meet your needs? Wireshark appears to both display & export the new column.

Tony Fortunato, Sr Network Specialist The Technology Firm 905 702-0108
Getting things to work better - bit by bit-
-----Original Message-----
From: Sake Blok [mailto:[email protected]] Sent: Wednesday, May 21, 2008 2:20 PM
To: [email protected]; Community support list for Wireshark
Subject: Re: [Wireshark-users] Packet List Display

On Wed, May 21, 2008 at 05:16:47PM +0200, Sake Blok wrote:
On Wed, May 21, 2008 at 09:16:36AM -0400, Tony Fortunato wrote:
- I wanted to see (and ideally export) the Packet List with the IP info as the displayed protocol, even if Wireshark can decode the higher
If I understand you correctly you want the Info column to display the values as if IP was the last layer that was dissected by Wireshark?
I thought that would be possible to achieve by disabling all protocols 
and then enabling only Ethenet and IP. But unfortunately the IP 
dissector then just displays: "TCP (0x06)".
Hmmm... I looked at epan/dissectors/packet-ip.c and it shows that only
exceptions are put into the "Info Column". This makes sense as IP will never
be the last protocol, there will always be a protocol on top of it. If it
doesn't that protocol, it will just show "<name> (<proto-id>)".

When I disable the HTTP dissector, the Info Column will indeed show the TCP info like there was no upper layer present.
Do you want the IP dissector to behave in the same manner? 
(ie showing IP details in the Info Column when the upper layer 
protocol dissectors are disabled)
What info do you want exactly? I think you can use tshark to accomplish your
goal. Let's have a try..

$ tshark -r trees.cap -T fields -e frame.number -e frame.time_relative -e
ip.src -e ip.dst -e ip.len -e ip.id -e ip.ttl -e ip.proto  -e ip.checksum -E
header=y frame.number frame.time_relative ip.src ip.dst ip.len ip.id
ip.ttl  ip.proto        ip.checksum
 1       0.000000000  40      0xfed7  120
0x06    0xe78e
 2       0.037319000  128     0x2ed6  59
0x32    0xc43f
 3       1.018455000   136     0xa817  63
0x06    0x76ef
 4       1.231212000  40      0xfed8  120
0x06    0xe78d
 5       2.820017000  88      0xfed9  120
0x06    0xe75c
 6       2.854071000   40      0xa818  63
0x06    0x774e
 7       2.968476000  88      0xfeda  120
0x06    0xe75b
 8       2.969336000   40      0xa819  63
0x06    0x774d
 9       2.971973000   344     0xa81a  63
0x06    0x761c

Does something like that fit your needs?


Wireshark-users mailing list
[email protected]