By running the command tshark -r file.pcap -T pdml, we can get a dump of the field names which tshark/wireshark can display. I do not see any way to extract the: field name="" show="Frame Data (32 Bytes)" value. I was hoping to use tshark to get the AMR payload similar to tshark -r file.pcap -T fields -e data. This command works if tshark/wireshark is not able to decode the UDP payload.
example of tshark -r file.pcap -T pdml ...
<proto name="rtp" showname="Real-Time Transport Protocol" size="45" pos="48">
<field name="rtp.setup" showname="Stream setup by SDP (frame 6)" size="0" pos="48" show="">
<field name="rtp.setup-frame" showname="Setup frame: 6" size="0" pos="48" show="6"/>
<field name="rtp.setup-method" showname="Setup Method: SDP" size="0" pos="48" show="SDP"/>
</field>
<field name="rtp.version" showname="10.. .... = Version: RFC 1889 Version (2)" size="1" pos="48" show="2" value="2" unmaskedvalue="80"/>
<field name="rtp.padding" showname="..0. .... = Padding: False" size="1" pos="48" show="0" value="0" unmaskedvalue="80"/>
<field name="rtp.ext" showname="...0 .... = Extension: False" size="1" pos="48" show="0" value="0" unmaskedvalue="80"/>
<field name="rtp.cc" showname=".... 0000 = Contributing source identifiers count: 0" size="1" pos="48" show="0" value="0" unmaskedvalue="80"/>
<field name="rtp.marker" showname="0... .... = Marker: False" size="1" pos="49" show="0" value="0" unmaskedvalue="68"/>
<field name="rtp.p_type" showname="Payload type: AMR-WB (104)" size="1" pos="49" show="104" value="68" unmaskedvalue="68"/>
<field name="rtp.seq" showname="Sequence number: 399" size="2" pos="50" show="399" value="018f"/>
<field name="rtp.extseq" showname="Extended sequence number: 65935" size="2" pos="50" show="65935" value="018f"/>
<field name="rtp.timestamp" showname="Timestamp: 95304" size="4" pos="52" show="95304" value="00017448"/>
<field name="rtp.ssrc" showname="Synchronization Source identifier: 0x0000f800 (63488)" size="4" pos="56" show="63488" value="0000f800"/>
</proto>
<proto name="amr" showname="Adaptive Multi-Rate" size="33" pos="60">
<field name="" show="Payload decoded as RFC 3267 bandwidth-efficient mode" size="33" pos="60" value="f17017f03865b095e96be78073c3897080d2d0fe674de85bb00cc6d87b8cd436fc"/>
<field name="amr.wb.cmr" showname="1111 .... = CMR: No mode request (15)" size="1" pos="60" show="15" value="f1"/>
<field name="amr.toc.f" showname=".... 0... = F bit: Last frame in this payload" size="1" pos="60" show="0" value="f1"/>
<field name="amr.wb.toc.ft" showname=".... .001 0... .... = FT bits: AMR-WB 12.65 kbit/s (2) / Frame OK" size="2" pos="60" show="2" value="f170"/>
<field name="amr.toc.q" showname=".1.. .... = Q bit: Ok" size="1" pos="61" show="1" value="70"/>
<field name="" show="Frame Data (32 Bytes)" size="32" pos="61" value="7017f03865b095e96be78073c3897080d2d0fe674de85bb00cc6d87b8cd436fc"/>
</proto>
desired output from tshark (<field name="" show="Frame Data (32 Bytes)" size="32" pos="61" value=...):
6e512f224ee5b53453ba7b0f41da57e2dbd9d1d0f1226b2b3fb77f3f26a01818 7017f03865b095e96be78073c3897080d2d0fe674de85bb00cc6d87b8cd436fc
asked 28 Apr '15, 08:10
ler224
11●1●1●4
accept rate: 0%
edited 28 Apr '15, 08:14
grahamb ♦
19.8k●3●30●206
IF you're unable to chnage (and submit) the change to the dissector yourself, you can raise an issue on the Wireshark Bugzilla. Attaching a capture that displays the issue helps enormously.