This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I get the packet detail text using tshark?

1
1

In Wireshark, fields are shown in the packet details pane using some particular text rendering, but tshark shows a different rendering.

For example, ip.version is rendered as 0100 .... = Version: 4 for a particular packet in Wireshark. Invoking tshark -r myPacket.pcap -T fields -e "ip.version" outputs 4.

Is there a way to extract the text using tshark?

I have a field in one of my dissectors that is added to the tree using proto_tree_add_int_format_value, and I'd like to be able to capture some parts of that formatted output using tshark in a script. I know I could export the packet to pdml using the "all expanded" format, but that gets to be very large for even moderately-sized files. As an alternative, can I add another field to my protocol and set it's value explicitly somehow so I can use tshark to extract that?

asked 05 Mar '15, 13:24

multipleinterfaces's gravatar image

multipleinte...
1.3k152340
accept rate: 12%

What parts do you want? 0100 .... = Version: 4 has a lot of cruft in it, and pretty much all but "4" is uninteresting, but Opcode: request (1) in an ARP packet contains both the raw numeric value of the field and its interpretation, and some might want to get the latter or both.

Not that there's any way to get that now, but that would be something useful to think about as an extension to, for example, the -e flag, so that you can, for a given field, request the raw value, the interpreted value, or both.

(05 Mar '15, 17:34) Guy Harris ♦♦

One Answer:

1

I don't think you can do that currently with -T fields, as it only outputs the exact field contents, e.g. the 4 for ip.version.

In your own protocol you could add format up the text you want and add a generated text field and tshark should output that verbatim.

answered 05 Mar '15, 14:00

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

can you point me to an example of how to create the generated text field?

(05 Mar '15, 14:06) multipleinte...