This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark fields

0

I am using tshark to see some packets, but when I user the -T fields -e xxxx, I don't see a number instead of the actual meaning, is there an option I should put to be albe to see the field name and not the number For example I am looking at SGs failure, instead of seeing sgsap.msg_type as "SGsAP-PAGING-REJECT", I see sgsap.msg_type "2", If I use tshark -r file.pcap, I am going to see the output as I see it in wireshark with the names

asked 14 Apr '15, 12:29

alfromero's gravatar image

alfromero
6224
accept rate: 0%

One Answer:
active answersoldest answersnewest answerspopular answers
1

tshark -T fields -e xxx prints the raw values and there is no way to get the "text representation" of those values without a code change.

So, what you can do it to run the following command and then parse the output with a script:

tshrak -V -r input.pcap

Sample Output:

SGs Application Part (SGsAP)
    SGSAP Message Type: SGsAP-LOCATION-UPDATE-REQUEST (0x09)    <<<======= HERE !!!
    IMSI - IMSI (310444001001001)
        Element ID: 0x01
        Length: 8
        0011 .... = Identity Digit 1: 3
        .... 1... = Odd/even indication: Odd number of identity digits
        .... .001 = Mobile Identity Type: IMSI (1)
        BCD Digits: 310444001001001
    MME name - mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org
        Element ID: 0x09
        Length: 55
        MME name: mmec01.mmegi9900.mme.epc.mnc012.mcc310.3gppnetwork.org
    EPS location update type - IMSI attach
        Element ID: 0x0a
        Length: 1
        EPS location update type: IMSI attach (1)

As an alternative, you can also run this command to get more structured output

tshrak -r input.pcap -T pdml

Regards
Kurt

permanent link

answered 15 Apr '15, 02:32

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×832
×34
×33

question asked: 14 Apr '15, 12:29

question was seen: 2,549 times

last updated: 15 Apr '15, 02:32

Related questions

Number of fields to output

tshark: Using filter expression as field ?

How to output Info Column as text for AMQP protocol?

tshark protocol name display command

Tshark not resolving names and not showing protocol as text when exporting to CSV file

truncated fields in tshark

tshark -e output - how to bind value to a protocol container?

how to resolve name from ip addresses in .csv file using tshark command

Defining a value type for a specific field

tshark -T fields (need the field for rssi or tx-power)

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A