Wireshark · Wireshark-users: Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark c

[Martin Visser <martinvisser99@xxxxxxxxx>]

I think you have a shell substitution problem. (I was doing this in Cygwin on Windows, which would be compatible with Linux/UNIX shells), but I am guess you are doing this in Windows CMD.

I noticed you changed my single quote (') to a double quote (") after perl -ane and at the end. Can you leave these as a single quote? Otherwise you might need to escape the characters that seemed to have gone missing so "$f:$1," becomes "$f\:$1\," (or something like that)

Sorry, but Windows CMD does some strange (hence why those in the know use Cygwin if they have to do this thing on Windows).

Alternately you can put everything in a self-contained Perl script, and not have to understand the Windows command shell idiosyncrasies.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Tue, Jul 13, 2010 at 2:13 PM, damker <damker@xxxxxxxx> wrote:

Thanks, the theory  is ok, but something others happened.

My OS is WIN7+ActivePerl 5.10,

 

When using

tshark.exe  -T pdml -r "d:\temp\MCNew.cap"  | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}" > d:\temp\mcnew.txt

 

error reported:

syntax error at -e line 1, near "$f:"

Execution of -e aborted due to compilation errors.

tshark: An error occurred while printing packets: Invalid argument.

 

When using

tshark.exe  -T pdml -r "d:\temp\MCNew.cap"  | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f,$1,";}}" > d:\temp\mcnew.txt

 

result is:

m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2046823431m3ua.protocol_data_opc1310708m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3825208323m3ua.protocol_data_opc1307719m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3288337409m3ua.protocol_data_opc1307817m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2449476613m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId752404340

 

there is no char “,”,any suggestion to solve this?

 

 

发件人: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] 代表 Martin Visser
发送时间: 2010年7月13日 8:03
收件人: Community support list for Wireshark
主题: Re: [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line

 

Unfortunately each -e field only matches a single instance. You are better off parsing the PDML output, that outputs all of the fields by iterating through the field. I have created a perl one-liner that can do this:-

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'

Output is:

1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,

Note that it seems (with this protocol) that as there seems to be a variable number of same field and some are option (for instance the second opc/dpc set doesn't have a matching transactionId), I would include the field name in the output so:

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,

Regards, Martin

MartinVisser99@xxxxxxxxx

2010/7/12 damker <damker@xxxxxxxx>

 

 

发件人: damker [mailto:damker@xxxxxxxx]
发送时间: 2010年7月12日 16:26
收件人: 'Wireshark-users-request@xxxxxxxxxxxxx'
主题: help,how to output specific fields in a complex packet using tshark command line

 

Help

The attachment is a packet captured in the Mc interface, there are 8 SCTP and upper layers, I want to output all the m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId in every M3UA.

If put the file in d:\temp\ and using the command line below:

 

tshark -r d:\temp\MCNew.cap -T fields -E separator=, -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e h248.transactionId >d:\temp\h248.txt

 

it output the last m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId,not all. how to write a correct command line to output all the fields I want?

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

 

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe