This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

truncated fields in tshark

When I try to fetch ntlm fields from a sniff file the fields are truncated to the first byte.
tshark -r file.pcap -T fields -e ntlmssp.auth.domain -e ntlmssp.auth.username -R ntlmssp.auth.username
output:
NULL NULL
B A
E A
D a
NULL NULL
B A
A A
D A
E a
For other string fields, this works fine, also in Wireshark itself, I get the complete string. Is this a bug or am I missing something.

fields tshark truncated

asked 03 May '11, 07:42

ruwi
1●1●1●1
accept rate: 0%

edited 03 May '11, 19:18

cmaynard ♦♦
9.4k●10●38●142

What version of tshark are you using and upon what platform/OS are you running it?

(03 May '11, 08:42) cmaynard ♦♦

sorry for the late feedback Wireshark 1.4.6 OS Win XP

(13 May '11, 07:15) ruwi

OK, that's a new enough version of Wireshark, so I would expect this to work, but unfortunately I can't think of any reason why it wouldn't work. Unless someone else on this forum has any idea, you will probably need to post a capture file somewhere for someone to take a look at.

(13 May '11, 08:40) cmaynard ♦♦

It looks like we may be trying to print wide characters. After glancing through the code I don't see any obvious reason for this.

(13 May '11, 09:07) Gerald Combs ♦♦