This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Anyway to hide expert info

0

I am trying to parse XMPP messages. Looks like some attribute/elements are unknown. For each this attribute/element, there is "expert info" next to it. It is kind of annoying and make hard to read the packet info. Following is a screen capture.

alt text

Is there any way to remove expert info from the display window?

asked 08 Feb '16, 07:38

yacare's gravatar image

yacare
216611
accept rate: 0%

edited 08 Feb '16, 11:23


2 Answers:

0

No, there's no way to do that (short of modifying Wireshark's source code).

Can I ask why you'd want to?

answered 08 Feb '16, 11:08

JeffMorriss's gravatar image

JeffMorriss ♦
6.2k572
accept rate: 27%

Just updated my question above.

(08 Feb '16, 11:24) yacare

In that case, and assuming that the highlighted fields actually are valid XMPP, I'd suggest opening an enhancement request (with a sample capture) asking Wireshark to correctly decode those fields (that is, make Wireshark understand them/decode them so it stops noting that it didn't understand/decode them).

(08 Feb '16, 11:29) JeffMorriss ♦

0

To answer my question, expert info will not be shown when wireshark runs in command line with tshark.

Frame 4045: 971 bytes on wire (7768 bits), 971 bytes captured (7768 bits)
Ethernet II, Src: f0:1c:2d:43:ee:27 (f0:1c:2d:43:ee:27), Dst: 5c:b9:01:8b:6f:3c (5c:b9:01:8b:6f:3c)
Internet Protocol Version 4, Src: 172.222.19.203 (172.222.19.203), Dst: 172.222.76.4 (172.222.76.4)
Transmission Control Protocol, Src Port: xmpp-server (5269), Dst Port: 40897 (40897), Seq: 34670, Ack: 18449, Len: 905
[2 Reassembled TCP Segments (2353 bytes): #4043(1448), #4045(905)]
XMPP Protocol
    XML HEADER VER. 1.0
    MESSAGE []
        from: [email protected]
        to: compute4/bgp-peer
        EVENT [xmlns="http://jabber.org/protocol/pubsub"]
            xmlns: http://jabber.org/protocol/pubsub
            ITEMS [node="1/1/default-domain:admin:VRF_TEST:VRF_TEST"]
                node: 1/1/default-domain:admin:VRF_TEST:VRF_TEST
                ITEM [id="1.2.3.6/32"]
                    id: 1.2.3.6/32

answered 12 Feb '16, 06:56

yacare's gravatar image

yacare
216611
accept rate: 0%

Odd... That actually sounds like a bug to me. Does it behave differently if you give the "-2" or "-Y"/"-R" options?

(12 Feb '16, 07:25) JeffMorriss ♦

Please don't fix it if it is indeed a bug. :)

Here is what I used.

tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269"

I don't see any difference with -2 option.

tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269" -2

(12 Feb '16, 07:31) yacare