This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capture Q-in-Q VLAN IDs with tshark -T fields

0

Hi all,

Is there a way to display both the values of the inner and the outer VLAN IDs of a Q-in-Q packet using tshark -T fields? Wireshark display filters allow defining conditions on both values simultaneously: for instance "vlan.id == 1 and vlan.id == 2" matches Q-in-Q packets that have their outer and inner VLAN IDs set to 1 and 2, respectively. However, the output of tshark -i eth1 -Tfields -e vlan.id -e vlan.id has its first column empty while the second column contains the value of the outer VLAN IDs.

Thanks!

asked 28 Jul '15, 08:10

yvan's gravatar image

yvan
6113
accept rate: 0%


One Answer:

1

From the tshark usage output (1.12.6):

-E<fieldsoption>=<value> set options for output when -Tfields selected:
     header=y|n            switch headers on and off
     separator=/t|/s|<char> select tab, space, printable character as separator
     occurrence=f|l|a      print first, last or all occurrences of each field
     aggregator=,|/s|<char> select comma, space, printable character as
                           aggregator

Using the occurence=a option you'll get all vlan tags, not sure how they come out though, all in the first column, or over multiple columns.

answered 28 Jul '15, 10:29

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

If an answer has solved your issue, please accept the answer for the benefit of other users by clicking the checkmark icon next to the answer. Please read the FAQ for more information.

(29 Jul '15, 04:58) grahamb ♦