i had try using the following command -e col.Info but nothing had been shown. what are the possible reasons that cause it?? asked 04 May '14, 21:49  tch |
3 Answers:
Without upgrading to a newer version, there should still be a solution for you. You haven't indicated which version of Wireshark you're running, but I tested the following with an old build of both 1.6.5 and 1.8.7, and it seems to produce the output that you're looking for in both cases: Windows: I haven't tested on *nix, but it should be similar: If you're using a recent enough version of Wireshark (anything post-r52627) then you can find all the column format options by running, " answered 06 May '14, 09:36  cmaynard ♦♦ |
The most likely reason for the failure is, that there is no such field (col.info) ;-)) See the Display Filter Reference. What are you trying to do? Regards answered 05 May '14, 00:06  Kurt Knochner ♦ i trying to add the information field. May i know what field to add? i could not find any solution till now (05 May '14, 00:17) tch As I mentioned, there is no Info 'field', so you cannot add it as a display filter. The Info 'column' exists in Wireshark and tshark (to some extend). In tshark it's included in the default output, if you run
You can change the column format by using the following option:
Please replace xxxx by the format options shown by the following command:
Regards (05 May '14, 05:58) Kurt Knochner ♦ |
I believe you have misspelled the column name, as they are case-sensitive. tshark is capable of displaying the contents of any Wireshark column by using From the above man page: -e field Add a field to the list of fields to display if Example: Obviously there is a typo in the man page, as the example should be answered 05 May '14, 07:36 cmaynard ♦♦ I use col.Info but nothing had been shown in the csv file.So, could it be the Development Release Version problem as below?? Yes, you can if you use the latest Development Release. See Wireshark Bug 2892. Download the Development Release Version 1.9.0. Use the following command: $ tshark -i 2 -T fields -e frame.time -e col.Info Output Feb 28, 2013 20:58:24.604635000 Who has 10.10.128.203? Tell 10.10.128.1 Feb 28, 2013 20:58:24.678963000 Who has 10.10.128.163? Tell 10.10.128.1 Note -e col.Info, Use capital I (05 May '14, 17:56) tch That information presumably came from the answer provided by joke to this question. At the time, the feature was only available in the development version, but the 1.10 stable release has it too. I would suggest that you either download the latest stable version, or if you're feeling adventurous enough, the latest 1.11 development version. (05 May '14, 18:12) cmaynard ♦♦ so is it a must to download it?? is there any others way to solve it? Anyway thanks for your guides:) (05 May '14, 18:29) tch |
I got the following output.But now how do i get that -> away from the code?? and also, add double quotes for each column? Thanks for your help
1 0.000000 11.0.0.3 -> 10.0.0.3 Echo (ping) request id=0x0001, seq=838/17923, ttl=128 2 0.000849 11.0.0.1 -> 11.0.0.3 Destination unreachable (Communication administratively filtered) 3 0.612755 Cisco_98:f6:0c -> Spanning-tree-(for-bridges)_00 Conf. Root = 32768/20/00:08:21:98:f6:00 Cost = 0 Port = 0x800c 4 0.693912 a0:48:1c:df:8a:23 -> Cisco_90:27:58 Who has 11.0.0.1? Tell 11.0.0.3 5 0.694660 Cisco_90:27:58 -> a0:48:1c:df:8a:23 11.0.0.1 is at 00:1a:a1:90:27:58 6 1.002069 11.0.0.3 -> 10.0.0.3 Echo (ping) request id=0x0001, seq=839/18179, ttl=128 7 1.002911 11.0.0.1 -> 11.0.0.3 Destination unreachable (Communication administratively filtered) 8 2.004082 11.0.0.3 -> 10.0.0.3 Echo (ping) request id=0x0001, seq=840/18435, ttl=128 9 2.004971 11.0.0.1 -> 11.0.0.3 Destination unreachable (Communication administratively filtered) 10 2.415035 11.0.0.3 -> 11.0.0.2 http > 49354 [FIN, ACK] Seq=1 Ack=1 Win=251 Len=0 11 2.415422 11.0.0.2 -> 11.0.0.3 49354 > http [ACK] Seq=1 Ack=2 Win=16329 Len=0 12 2.612733 Cisco_98:f6:0c -> Spanning-tree-(for-bridges)_00 Conf. Root = 32768/20/00:08:21:98:f6:00 Cost = 0 Port = 0x800c 13 3.005537 11.0.0.3 -> 10.0.0.3 Echo (ping) request id=0x0001, seq=841/18691, ttl=128 14 3.006433 11.0.0.1 -> 11.0.0.3 Destination unreachable (Communication administratively filtered) 15 4.006995 11.0.0.3 -> 10.0.0.3 Echo (ping) request id=0x0001, seq=842/18947, ttl=128 16 4.007818 11.0.0.1 -> 11.0.0.3 Destination unreachable (Communication administratively filtered)Try looking at the
tshark -G column-formatsor theepan/column.cfile to find the command-line format you need using my example above as a starting point.Now that I read this again, it seems more like what you want is Wireshark's "Export as CSV" output. If so, from Wireshark, try:
File -> Export Packet Dissections -> as "CSV" (Comma Separated Values packet summary) file...I know when export as CSV from Wireshark it is perfectly fine but when using tshark will it be able to produce the exactly same outcome as CSV file?? As in tshark command. Thanks much for your help.
From the tshark man page:
-T pdml|psml|ps|text|fields
fields The values of fields specified with the -e option, in a form specified by the -E option. For example,
would generate comma-separated values (CSV) output suitable for importing into your favorite spreadsheet program.
... but if you want to be able to use arbitrary columns (
col.foo), then you'll need to upgrade to a version of Wireshark that supports it.