This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Truncated output

0

When capturing DHCP packets there is a specific field we wish to capture. This is being cut off at 24 characters so we cannot completely verify that it is correct. If we select the option -T pdml then it outputs the entire value but changing to XML would require a large amount of rework in some code we have. Is there a way to stop tshark truncating output? Notice the second last line in the capture below has ... on the end of it indicating the data has been truncated. We are using CentOS 6.2. This is just a basic TCP/IP capture, nothing fancy except that we are looking at DHCP traffic.

Our command line is this:

tshark -V -i vlan2090 -R "bootp.hw.mac_addr contains "00:17:33:00:00:00""

and output (which I've abbreviated) is like this:

Frame 77 (384 bytes on wire, 384 bytes captured) Arrival Time: Dec 8, 2014 14:06:55.751253000 ........................ Option: (t=43,l=41) Vendor-Specific Information Option: (43) Vendor-Specific Information Length: 41 Value: 01276163732E6578616D706C652E636F6D20322041424344... Option: (t=6,l=8) Domain Name Server

asked 21 Jan '15, 20:53

MikeKulls's gravatar image

MikeKulls
11226
accept rate: 0%

One Answer:

0

Have you tried just printing the field itself instead of the whole packet? I don't think individual field output is truncated. In other words, do this (all in one line):

tshark -V -i vlan2090 -R "bootp.hw.mac_addr contains "00:17:33:00:00:00"" -T fields -e bootp.option.vendor.value

Or you can output multiple fields, if you need to see more than just that one per DHCP packet.

answered 22 Jan '15, 06:02

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%