This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
1
1

is it possible to have only one entry in packet table for specific vlan id even if we got 1000 packets of that vlan id , diiferent or same protocol & whatever be contents of that packet ?

Currently , we have to capture lot of packets then sort by vlan id & scroll through a long list to find what diferent vlan id's we received on our system.

asked 05 Nov '12, 00:41

manit's gravatar image

manit
15123
accept rate: 0%

edited 05 Nov '12, 12:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


You can't do that in the GUI, but that's were tshark can help. Capture your data with either Wiresahrk, dumpcap or tshark and write it to input.cap.

Then call tshark to extract the VLAN IDs.

tshark -r input.cap -T fields -e vlan.id

This will print all vlan IDs. However, you will get duplicates. So you need to filter those duplicates with a script and/or other tools.

Sort the values in numerical ascending order and eliminate duplicates.

Windows

powershell -command "tshark -r input.cap -T fields -e vlan.id | sort-object {[int] $_} -unique"

Linux

tshark -r input.cap -T fields -e vlan.id | sort -n -u

Regards
Kurt

permanent link

answered 05 Nov '12, 01:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

that worked well , kurt .

There ain't a way to tell wireshark to show one row for specific vlan id ignoring other fields. I wanted following scenario: Let us say , we add another column called 'packet-count' to table . If a packet appears then check its vlan-id . If it has been encountered before , then add 1 to packet count else add another row with that vlan-id. That would mean analysing while capturing . Seems , that is not posssible.

(05 Nov '12, 01:37) manit

Seems , that is not posssible.

that's not possible, unless you change the code of Wireshark.

You can write a vlan dissector in Lua and add a field for your packet counter there. HOWEVER: That will not eliminate multiple packets with the same VLAN ID in the packet list.

BTW: You are talking about packet count and unique VLAN IDs. What do you actually want to know? How many VLAN IDs you captured and/or how many packets per VLAN ID? If so, why do you need that while you are capturing the data?

Maybe there is another way !?!

(05 Nov '12, 02:02) Kurt Knochner ♦

is it possible to have only one entry in packet table for specific vlan id even if we got 1000 packets of that vlan id , diiferent or same protocol & whatever be contents of that packet ?

No. That's not what the packet table is for. The "packet table" is a table of, well, packets, so there's one entry in the packet table for each packet.

It would be possible to have a statistics tap that displayed a table showing all VLAN IDs in the capture, just as we already have taps to show, for example, all Ethernet or IPv4 or IPv6 or... addresses in the capture. Taps can be written in Lua, although I'm not sure whether a Lua tap can pop up a table display in the GUI in Wireshark rather than just print it out as text in TShark.

permanent link

answered 05 Nov '12, 12:48

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×66

question asked: 05 Nov '12, 00:41

question was seen: 22,036 times

last updated: 05 Nov '12, 12:49

p​o​w​e​r​e​d by O​S​Q​A