Hi, I have GTP encapsulated traffic. So one IP package contains 2 IP addresses:
When I specify ip.src as display filter or as "field" in tshark I only get the address of the encapsulated ip traffic. Can anyone tell me how I can display the ip address of the original ip package ? Thanks, Ralf asked 17 Sep '10, 04:34 bradfield edited 17 Sep '10, 04:37 |
2 Answers:
In tshark you can use the option "-E occurrence=<f|l|a>", where "f" means the first occurrence of a field with multiple instances, "l" means last occurrence and "a" means all occurrences. If you select "a", then all occurrences are aggregated by a comma by default, but this can be changed by the "-E aggregator=<char>" option. This functionality does not (yet) exist for Wireshark's custom columns. Update 22 September: I just submitted new code that will make it possible to select the occurrence in Wireshark too. In a few hours there will be an automated build at http://www.wireshark.org/download/automated/ (make sure you pick a file with a number higher than 34186, otherwise the patch will not be in it) answered 17 Sep '10, 05:31 SYN-bit ♦♦ edited 22 Sep '10, 14:01 |
Yep. That solved my problem. Thanks, Ralf answered 17 Sep '10, 10:51 bradfield |
This is a Q&A site, which operates a little differently from traditional web forums. If you're posting a comment, please click on the "add new comment" button.
If @SYNbit answered your question, please click on the check mark in order to accept his answer. That way it will float to the top and he'll earn karma points.
Hi Ralf, glad it solved your problem!
Would you be so kind to "accept" my answer by clicking on the checkmark? That way the question will not show up on the "unanswered" list anymore. It also helps people to find the correct answer to the question (although that is not really a problem in this case) :-)
Last thing, it's better to use "add new comment" for this kind of message instead of posting a new "answer".
Cheers, Sake