This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I am trying to parse XMPP messages. Looks like some attribute/elements are unknown. For each this attribute/element, there is "expert info" next to it. It is kind of annoying and make hard to read the packet info. Following is a screen capture.

alt text

Is there any way to remove expert info from the display window?

asked 08 Feb '16, 07:38

yacare's gravatar image

yacare
216611
accept rate: 0%

edited 08 Feb '16, 11:23


No, there's no way to do that (short of modifying Wireshark's source code).

Can I ask why you'd want to?

permanent link

answered 08 Feb '16, 11:08

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Just updated my question above.

(08 Feb '16, 11:24) yacare

In that case, and assuming that the highlighted fields actually are valid XMPP, I'd suggest opening an enhancement request (with a sample capture) asking Wireshark to correctly decode those fields (that is, make Wireshark understand them/decode them so it stops noting that it didn't understand/decode them).

(08 Feb '16, 11:29) JeffMorriss ♦

To answer my question, expert info will not be shown when wireshark runs in command line with tshark.

Frame 4045: 971 bytes on wire (7768 bits), 971 bytes captured (7768 bits)
Ethernet II, Src: f0:1c:2d:43:ee:27 (f0:1c:2d:43:ee:27), Dst: 5c:b9:01:8b:6f:3c (5c:b9:01:8b:6f:3c)
Internet Protocol Version 4, Src: 172.222.19.203 (172.222.19.203), Dst: 172.222.76.4 (172.222.76.4)
Transmission Control Protocol, Src Port: xmpp-server (5269), Dst Port: 40897 (40897), Seq: 34670, Ack: 18449, Len: 905
[2 Reassembled TCP Segments (2353 bytes): #4043(1448), #4045(905)]
XMPP Protocol
    XML HEADER VER. 1.0
    MESSAGE []
        from: [email protected]
        to: compute4/bgp-peer
        EVENT [xmlns="http://jabber.org/protocol/pubsub"]
            xmlns: http://jabber.org/protocol/pubsub
            ITEMS [node="1/1/default-domain:admin:VRF_TEST:VRF_TEST"]
                node: 1/1/default-domain:admin:VRF_TEST:VRF_TEST
                ITEM [id="1.2.3.6/32"]
                    id: 1.2.3.6/32
permanent link

answered 12 Feb '16, 06:56

yacare's gravatar image

yacare
216611
accept rate: 0%

Odd... That actually sounds like a bug to me. Does it behave differently if you give the "-2" or "-Y"/"-R" options?

(12 Feb '16, 07:25) JeffMorriss ♦

Please don't fix it if it is indeed a bug. :)

Here is what I used.

tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269"

I don't see any difference with -2 option.

tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269" -2

(12 Feb '16, 07:31) yacare
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×11

question asked: 08 Feb '16, 07:38

question was seen: 1,425 times

last updated: 12 Feb '16, 07:31

p​o​w​e​r​e​d by O​S​Q​A