This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Anyway to hide expert info

0

I am trying to parse XMPP messages. Looks like some attribute/elements are unknown. For each this attribute/element, there is "expert info" next to it. It is kind of annoying and make hard to read the packet info. Following is a screen capture.

alt text

Is there any way to remove expert info from the display window?

asked 08 Feb '16, 07:38

yacare's gravatar image

yacare
216611
accept rate: 0%

edited 08 Feb '16, 11:23

2 Answers:
active answersoldest answersnewest answerspopular answers
0

No, there's no way to do that (short of modifying Wireshark's source code).

Can I ask why you'd want to?

permanent link

answered 08 Feb '16, 11:08

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Just updated my question above.

(08 Feb '16, 11:24) yacare

In that case, and assuming that the highlighted fields actually are valid XMPP, I'd suggest opening an enhancement request (with a sample capture) asking Wireshark to correctly decode those fields (that is, make Wireshark understand them/decode them so it stops noting that it didn't understand/decode them).

(08 Feb '16, 11:29) JeffMorriss ♦
0

To answer my question, expert info will not be shown when wireshark runs in command line with tshark.

Frame 4045: 971 bytes on wire (7768 bits), 971 bytes captured (7768 bits)
Ethernet II, Src: f0:1c:2d:43:ee:27 (f0:1c:2d:43:ee:27), Dst: 5c:b9:01:8b:6f:3c (5c:b9:01:8b:6f:3c)
Internet Protocol Version 4, Src: 172.222.19.203 (172.222.19.203), Dst: 172.222.76.4 (172.222.76.4)
Transmission Control Protocol, Src Port: xmpp-server (5269), Dst Port: 40897 (40897), Seq: 34670, Ack: 18449, Len: 905
[2 Reassembled TCP Segments (2353 bytes): #4043(1448), #4045(905)]
XMPP Protocol
    XML HEADER VER. 1.0
    MESSAGE []
        from: [email protected]
        to: compute4/bgp-peer
        EVENT [xmlns="http://jabber.org/protocol/pubsub"]
            xmlns: http://jabber.org/protocol/pubsub
            ITEMS [node="1/1/default-domain:admin:VRF_TEST:VRF_TEST"]
                node: 1/1/default-domain:admin:VRF_TEST:VRF_TEST
                ITEM [id="1.2.3.6/32"]
                    id: 1.2.3.6/32
permanent link

answered 12 Feb '16, 06:56

yacare's gravatar image

yacare
216611
accept rate: 0%

Odd... That actually sounds like a bug to me. Does it behave differently if you give the "-2" or "-Y"/"-R" options?

(12 Feb '16, 07:25) JeffMorriss ♦

Please don't fix it if it is indeed a bug. :)

Here is what I used.

tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269"

I don't see any difference with -2 option.

tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269" -2

(12 Feb '16, 07:31) yacare
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Question tags:

×11

question asked: 08 Feb '16, 07:38

question was seen: 1,425 times

last updated: 12 Feb '16, 07:31

Related questions

deleting error packets

Application performance expert

expert info

How do I interpret Wireshark Expert Infos output?

Does Wireshark have an expert analysis function?

Customizable Expert Window

Modifying the Expert

Wireshark 1.99.5 Expert Info

Unknown SCSI exchange can not decode SCSI data

tshark -z expert report in JSON or EK format

about | faq | privacy | support | contact

p​o​w​e​r​e​d by O​S​Q​A