In Wireshark, fields are shown in the packet details pane using some particular text rendering, but tshark shows a different rendering. For example, Is there a way to extract the text using tshark? I have a field in one of my dissectors that is added to the tree using asked 05 Mar '15, 13:24 multipleinte... |
One Answer:
I don't think you can do that currently with -T fields, as it only outputs the exact field contents, e.g. the 4 for ip.version. In your own protocol you could add format up the text you want and add a generated text field and tshark should output that verbatim. answered 05 Mar '15, 14:00 grahamb ♦ can you point me to an example of how to create the (05 Mar '15, 14:06) multipleinte... |
What parts do you want?
0100 .... = Version: 4
has a lot of cruft in it, and pretty much all but "4" is uninteresting, butOpcode: request (1)
in an ARP packet contains both the raw numeric value of the field and its interpretation, and some might want to get the latter or both.Not that there's any way to get that now, but that would be something useful to think about as an extension to, for example, the
-e
flag, so that you can, for a given field, request the raw value, the interpreted value, or both.