This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark column fields

0
1

I using Wireshark on Ubuntu 12.04 and whenever i type in the field such as -e col.Protocol , col.Info etc.. i could not get any result display on text editor or csv file. Anyone know what is the problem?

asked 06 May '14, 19:54

tch's gravatar image

tch
1233
accept rate: 0%

Which version of Wireshark are you using?

(07 May '14, 07:19) cmaynard ♦♦

wireshark 1.6.7 is it the latest? Sorry for asking so much as i am new to it

(07 May '14, 17:51) tch

No, Wireshark 1.6.7 is most definitely not the latest available version. The latest releases as of this writing are:

  • Stable: 1.10.7
  • Old Stable: 1.8.14
  • Development: 1.11.3

You can download them from http://www.wireshark.org/download.html.

The 1.6 branch went End-Of-Life on June 7, 2013. Refer to the LifeCycle page for more information about End-Of-Life planning.

(08 May '14, 07:20) cmaynard ♦♦

2 Answers:

3

So the answer to your question is simple. Version 1.6.7 doesn't support -e col.*. You need to upgrade to a version of Wireshark that does support it.

answered 09 May '14, 17:41

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

2

As of the 1.11.x and 1.12 versions of tshark, the field names are "_ws.col.Protocol" and "_ws.col.Info", instead of "col.Protocol" and "col.Info".

Example:

tshark -T fields -e _ws.col.Protocol -e _ws.col.Info

Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10201

answered 19 Jun '14, 16:50

CraigGarrett's gravatar image

CraigGarrett
8613
accept rate: 0%

edited 20 Jun '14, 10:21