I am relatively new to Wireshark.
I am generating packets from our test platform. These are being correctly decoded by Wireshark. They happen to be "mac-lte" packets, but isn't relevant for question I have...
I would like to interleave the generated packets with comments/logs packets, with the Wireshark decoded comments being displayed in the packet list pane (the top pane in the Wireshark GUI, showing a summary of the packets decoded). Note, I don't want to have to dig into the packet to see the text. I would like the text displayed on the packet list pane.
I'd like to use the standard Wireshark product off the shelf, without having to add a non-standard dissector. Is there a 'protocol' dissector packaged with the standard Wireshark product to display plain text? Failing that, does anyone have a plain text dissector they can share?
Thanks in advance, Robert
This question is marked "community wiki".
asked 13 Apr '11, 04:58
edited 13 Apr '11, 05:00
I think the syslog dissector might be the closest thing to what you need and the easiest to use in your case.
You can use "nc" (netcat) to send the cleartext messages like this:
Host 220.127.116.11 does not need to exist, as long as the route towards that host passes your capturing device :-)
Wireshark and tshark will now show you:
The "<xxx>" at the beginning of the message signify the facility and the severity where xxx is an 8 bit value in decimal representation. The most significant 5 bits denote the facility (LOCAL6 in my case) and the least significant 3 bits denote the severity (EMERG..DEBUG).
(of course you can also use the logger command on a unix-like system, but then you have to make sure you have a rule in the configuration of the local syslog daemon that forwards the message to a remote host like 18.104.22.168)
answered 13 Apr '11, 08:29