This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Can I retrieve all the values for the same attribute name (Column name)?

0

Hi ,

Currently I am having a .pcap file with the below sample data. Just showing in an xml format..

<packet> <field name="radius.Class" show="ABC" value="ABC"/> </field> <field name="radius.Class" show="DEF" value="DEF"/> </field> <field name="radius.Class" show="HIJ" value="HIJ"/> </field> </packet>

The tshark command that I am using currently is

tshark -r "PCAP Input file location" -T fields -e radius.Class -E separator=, -E header=y > output.csv

Current result on Windows OS

radius.Class
ABC DEF HIJ

But for the same command on centOS or Linux I am getting only the last column as shown below

radius.Class

HIJ

For some reason it is retrieving only the last attribute value. Is there any way that I can retrieve all the columns on centOS or Linux ???

This question is marked "community wiki".

asked 27 Aug '13, 07:17

Sunny%20Reddy's gravatar image

Sunny Reddy
16115
accept rate: 0%

edited 15 Sep '14, 22:39

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

One Answer:

2

Which tshark version are you using on both systems, there have been changes in behavior between versions.

In recent versions you can use the option "-E occurrence=a" to print all fields and use "-E aggregator=<char>" to choose how the fields should be separated.

See tshark -h for more info...

answered 27 Aug '13, 09:53

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

Thanks for the help..

Sorry forgot to mention it

TShark 1.0.15

Copyright 1998-2010 Gerald Combs [email protected] and contributors. This is free software; see the source for copying conditions. There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

Compiled with GLib 2.12.3, with libpcap 0.9.4, with libz 1.2.3, without POSIX capabilities, with libpcre 6.6, with SMI 0.4.5, without ADNS, without Lua, with GnuTLS 1.4.1, with Gcrypt 1.4.4, with MIT Kerberos.

Running on Linux 2.6.18-308.16.1.el5, with libpcap version 0.9.4.

Built using gcc 4.1.2 20080704 (Red Hat 4.1.2-54).

(27 Aug '13, 10:12) Sunny Reddy

Hi SYN-bit, Tried doing that but I am getting the below error

tshark: " occurence" is not a valid field output option=value pair. TShark: The available options for field output "E" are: header=y|n Print field abbreviations as first line of output (def: N: no) separator=/t|/s|<character> Set the separator to use; "/t" = tab, "/s" = space (def: /t: tab) quote=d|s|n Print either d: double-quotes, s: single quotes or n: no quotes around field values (def: n: none)

(27 Aug '13, 11:08) Sunny Reddy

@Sunny Reddy, your version (1.0.15) is very ancient and doesn't qualify as a "recent version" as per the answer from @SYN-bit.

(27 Aug '13, 11:24) grahamb ♦

I think I added the "occurrence" output option in 1.4. So yes, you can get all the values of radius.Class on linux, but you will have to upgrade tshark. If 1.0.15 is the one from the repository, then you will have to compile a newer version yourself or switch to a more recent OS version with a more recent tshark version.

(27 Aug '13, 11:58) SYN-bit ♦♦