Wireshark · Wireshark-users: Re: [Wireshark-users] How to display identical fields with tshark

[Sake Blok <sake@xxxxxxxxxx>]

On 5 jan 2011, at 21:51, eymanm wrote:

I have a protocol that contains the same fields, let's name them A, in a single frame. Let's also assume that there are three As in a single frame. When using tshark with -V all the As are displayed properly. When using -e, only the last A is displayed. Can somebody suggest how to display the first and the second As with -e?

I implemented the ability to select the first, last or all occurrences of a field with tshark a while ago. It's not yet in 1.4.x, so you will have to use an automated build or wait for 1.5.0.

From 'tshark -h':

  -e <field>               field to print if -Tfields selected (e.g. tcp.port);

                           this option can be repeated to print multiple fields

  -E<fieldsoption>=<value> set options for output when -Tfields selected:

     header=y|n            switch headers on and off

     separator=/t|/s|<char> select tab, space, printable character as separator

     occurrence=f|l|a      print first, last or all occurrences of each field

     aggregator=,|/s|<char> select comma, space, printable character as aggregator

     quote=d|s|n           select double, single, no quotes for values

Cheers,

Sake