Hi, I am trying to print some fields from a capture.
I get output which is free-form, like :
What I need is a name=value pair in the lines. How can I achieve the following:
As you can see, in the output I want, I need the field name with every entry. How can I achieve this? edit: The above excerpt of a highly simplified version of the fields which are needed. In reality, there are about 20 fields and many of them are specific to the messages type. So, I cannot really depend upon the order of the fields and such. If there is no way from tshark to provide it, it doesn't work for me. I need the ouput to be parseable so that I can process about 100GB of captures. asked 25 Aug '15, 15:44 Prateek edited 26 Aug '15, 06:21 |
2 Answers:
How about just using an awk script, assuming the columns are predictable in the output (no cases of two values in one column). Something like:
answered 25 Aug '15, 23:14 Quadratic Although your answer solves the issue for simple cases, it does not solve the problem for me. There are more fields and some of them are specific to the request/response or message type. I need the output to be parseable so that I can process efficiently with python. If I have to post process with awk anyway, then I would rather do it in python itself. I wanted not to depend upon the order of fields. (26 Aug '15, 06:23) Prateek For fields which depend on context (like message type or request/response), the tshark output there should output null-valued cells in a case where an attribute doesn't exist in a given packet, so the column order and number should be dependably fixed either way. If the objective is to have the attribute and value presented in each cell of output within the confines of tshark itself without post-processing, it might be possible with a Lua script though I don't believe it's possible purely within the existing tshark binary itself. Some specific protocols such as Diameter support a "-z" option to do kind of what you're looking for, though those are protocol-specific. (26 Aug '15, 21:32) Quadratic |
Well, as tshark does not have such a funtionality, you can either pre-process the output with awk (as mentioned by @Quadratic), or with Perl (see below), OR do the processing in your Python code, similar to what I've done in Perl, which is totally independent on the number of fields and their order.
Output:
Now, run that through the Perl script:
Output:
Of course you can also quote the field values, if there are spaces in the field values.
Perl script:
Hint: The in the code it’s STDIN, however OSQA formates it to lowercase (stdin) for whatever reason. So, if you copy-paste the code, please replace stdin with STDIN. Regards answered 28 Aug ‘15, 09:08 Kurt Knochner ♦ edited 28 Aug ‘15, 09:36 |
Based on comments so far, it is clear to me that there is no option built into tshark to do what I want. I have accepted one of the answers. However, I will implement the same logic in the python script which I have for processing those files.