This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark -2 results in missing CSV output

0

Hi,

I have a short SQL/TDS trace and I want to output certain columns into CSV. If I run this command:

tshark -T fields -E separator=, -E quote=d -e frame.number -e ip.addr -e _ws.col.Info -r tds_sql_batch_first_10.pcapng

I get:

"1","10.100.20.223,10.100.20.220","1155â┼'1433 [ACK] Seq=3698378077 Ack=2551614322 Win=65535 Len=0"
"2","10.100.20.223,10.100.20.220","1154â┼'1433 [ACK] Seq=3762048005 Ack=3002787638 Win=65113 Len=0"
"3","10.100.20.223,10.100.20.220","SQL batch"
"4","10.100.20.220,10.100.20.223","Response"
"5","10.100.20.223,10.100.20.220","1155â┼'1433 [ACK] Seq=3698378553 Ack=2551614538 Win=65319 Len=0"
"6","10.100.20.223,10.100.20.220","SQL batch"
"7","10.100.20.220,10.100.20.223","Response"
"8","10.100.20.223,10.100.20.220","SQL batch"
"9","10.100.20.220,10.100.20.223","Response"
"10","10.100.20.223,10.100.20.220","1155â┼'1433 [ACK] Seq=3698379237 Ack=2551614965 Win=64892 Len=0"

However, I need to run tshark with the -2 (scan twice) option for a LUA I want to use. As a test I run the same command above with the -2 option:

tshark -2 -T fields -E separator=, -E quote=d -e frame.number -e ip.addr -e _ws.col.Info -r tds_sql_batch_first_10.pcapng

and this gives this output:

"1","10.100.20.223,10.100.20.220",
"2","10.100.20.223,10.100.20.220",
"3","10.100.20.223,10.100.20.220",
"4","10.100.20.220,10.100.20.223",
"5","10.100.20.223,10.100.20.220",
"6","10.100.20.223,10.100.20.220",
"7","10.100.20.220,10.100.20.223",
"8","10.100.20.223,10.100.20.220",
"9","10.100.20.220,10.100.20.223",
"10","10.100.20.223,10.100.20.220",

So the Info column information is missing. I get a similar problem when I add a column from a field defined by my script. Is this what I should expect?

Thanks and regards...Paul

asked 26 Jul '15, 08:46

PaulOfford's gravatar image

PaulOfford
131283237
accept rate: 11%

edited 26 Jul '15, 10:30


One Answer:

2

That's a bug. Please submit a bug at bugs.wireshark.org, with the above info. We don't need the capture file or Lua script, because it's a simple bug I can reproduce (and I already know how to fix).

Also, the weird text output of the info column in the single-pass case is probably due to Bug 11344, which has been fixed but won't be in a general release version until 1.12.7 is released. (though you can get it now from the automated builds site) If it's not fixed in the automated builds, then it's yet another bug. :)

Lastly, if what you're trying to do is use Lua to put some info into the CSV output, you don't need to use the INFO column for that - your Lua script can create a new ProtoField which should be reference-able as a field in your tshark command like other fields. (though I've never tried that)

answered 26 Jul '15, 09:34

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

Thanks Hadriel,

I do use ProtoField for almost all LUA script output but I have a particular requirement to modify the Info field in Wireshark and I don't want to have to produce one script for Wireshark and another for tshark.

I'll report the bug.

Best regards...Paul

(26 Jul '15, 09:41) PaulOfford
(26 Jul '15, 10:27) PaulOfford

Hi Hadriel, Thanks for the rapid work on this. I installed the latest automated build (Wireshark-win64-1.12.7rc0-52-g9d3eb4b.exe) and it works fine.

(27 Jul '15, 02:54) PaulOfford

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(27 Jul '15, 06:12) Jaap ♦