This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark fields

0

I am using tshark to see some packets, but when I user the -T fields -e xxxx, I don't see a number instead of the actual meaning, is there an option I should put to be albe to see the field name and not the number For example I am looking at SGs failure, instead of seeing sgsap.msg_type as "SGsAP-PAGING-REJECT", I see sgsap.msg_type "2", If I use tshark -r file.pcap, I am going to see the output as I see it in wireshark with the names

asked 14 Apr '15, 12:29

alfromero's gravatar image

alfromero
6224
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
1

tshark -T fields -e xxx prints the raw values and there is no way to get the "text representation" of those values without a code change.

So, what you can do it to run the following command and then parse the output with a script:

tshrak -V -r input.pcap

Sample Output:

SGs Application Part (SGsAP)
    SGSAP Message Type: SGsAP-LOCATION-UPDATE-REQUEST (0x09)    <<<======= HERE !!!
    IMSI - IMSI (310444001001001)
        Element ID: 0x01
        Length: 8
        0011 .... = Identity Digit 1: 3
        .... 1... = Odd/even indication: Odd number of identity digits
        .... .001 = Mobile Identity Type: IMSI (1)
        BCD Digits: 310444001001001
    MME name - mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org
        Element ID: 0x09
        Length: 55
        MME name: mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org
    EPS location update type - IMSI attach
        Element ID: 0x0a
        Length: 1
        EPS location update type: IMSI attach (1)

As an alternative, you can also run this command to get more structured output

tshrak -r input.pcap -T pdml

Regards
Kurt

permanent link

answered 15 Apr '15, 02:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×34
×33

question asked: 14 Apr '15, 12:29

question was seen: 2,917 times

last updated: 15 Apr '15, 02:32

Related questions

Number of fields to output

How to output Info Column as text for AMQP protocol?

tshark: Using filter expression as field ?

tshark protocol name display command

Tshark not resolving names and not showing protocol as text when exporting to CSV file

truncated fields in tshark

Defining a value type for a specific field

tshark -T fields (need the field for rssi or tx-power)

tshark -e output - how to bind value to a protocol container?

how to resolve name from ip addresses in .csv file using tshark command

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A