Mapping value to text tshark

Question

Hello, Is it possible in tshark to directly convert value to exact meaning text? I need similary like as: "tshark -r pcap -V" but I need it only on exact fields.

For example: tshark -r smpp.pcap -T fields -e smpp.command_id

Now I need to change to correct text like as (Submit_sm,Deliver_sm,and so on..) Something like tshark -e _ws.col.Info but I need it per argument for example _ws.col.smpp.command_id? Don't focus on protocol; I need it globally for a lot of different protocols.

Thanks a lot. Regards, Peter

Accepted Answer

To achieve this, you could try explicitly specifing the exact columns that you want to be displayed. For example, this will display the frame number and smpp.command_id for SMPP matching frames:

On *nix:

tshark -o 'gui.column.format:"No.","%m","SMPP Commmand ID","%Cus:smpp.command_id"' -Y "smpp" -r smpp.cap

On Windows:

tshark.exe -o "gui.column.format:\"No.\",\"%m\",\"SMPP Command ID\",\"%Cus:smpp.command_id\"" -Y "smpp" -r smpp.cap

Sample output:

 4 Bind_transmitter
 5 Bind_transmitter - resp
 7 Enquire_link
 8 Enquire_link - resp
 9 Submit_sm
10 Submit_sm - resp
12 Unbind
13 Unbind - resp

You can display just about any field using %Cus. For the so-called "built-in" fields, run tshark -G column-formats to see the specifiers needed (such as %m for the frame number in the example above).

You can also just run Wireshark and configure the columns you want there and then run tshark without the need to specify the columns, since tshark will just use the Wireshark-configured columns by default.

If you only want to use some of Wireshark's configured columns, you can pick and choose the ones you want using the -T fields -e field1 -e field2 ... syntax, specifying -e _ws.col.Operation for the SMPP Operation/Command ID field, "Operation" being the default name of the column when you right-click the field in Wireshark and choose, "Apply as column".