This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Filtering out Specific lines that contain Specific Information in the Information Column

0

I am looking to use tshark to export results of a filter when information in the "Info" column matches a specific string, say "DCI" (in other words, a certain keyword in the Info Column is the filter).

I already know how to use t-shark to export results using normal filters, aka -Y "filter" as seen in my previous questions), so I am wondering if there is a way to do this to filter out lines that contain specific information from a specific column.

If I need to use Linux in order to do this, please let me know how since I have never used the Linux approach before.

Any questions and comments are much appreaciated. A timely response is preferred though...

asked 03 May '16, 09:25

Midimistro's gravatar image

Midimistro
116610
accept rate: 50%

edited 13 May '16, 11:22

grahamb's gravatar image

grahamb ♦
19.8k330206

2 Answers:

0

The text in the Info column is in most cases an "executive summary" of the highest-layer protocol in that frame, i.e. the text in the Info column is usually composed from the contents of that protocol's fields, which can be referred to in the display filter expression (and for some dissectors, these values are complemented with some static text).

So you cannot refer to the contents of the Info column in your "display filter" (-Y) expression, but you can refer to its source protocol fields. The operator you'll most likely want to use is contains (to check whether a static substring exists in the protocol fields), or matches (if you prefer to use regular expressions for string pattern matching).

answered 03 May '16, 13:09

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

If that is the case, is there any way to export all the columns to a text file?

Do note that I use a custom profile.

(13 May '16, 09:12) Midimistro

"columns" are elements of the packet list. Any filterable protocol field may be made a packet list column, but not vice versa - the basic set of columns, including the Info column, has no equivalent filterable (pseudo)field (pseudo-fields are fields forged by Wireshark from the packet contents which do not represent any individual protocol field, or references to packet metadata, like timestamp, delay from previous packet etc.)

So if you know from which protocol field the string you look for is adopted into the Info column, you can filter on that protocol field; if you don't know that, there is no way to filter packets by that string.

If you run tshark without any command-line option (except -r), you'll get an equivalent of packet list as the only output if that's enough for you.

The tshark manual declares that you can combine -P option with -w to output packet list as text in parallel with writing the pcap output to a file name specified using the -w option, but in this case, post-processing the text output won't affect which packets will be written to the file.

What works but the manual doesn't mention it is to combine the -P option with the -O one. In that case, you'll get the packet list row followed by formatted dissection of the protocol(s) specified using the -O option. As the manual doesn't mention it, I don't know whether it is an intentional behaviour or a side effect.

What does not work is a combination of -P and -T fields - in this case, -T wins.

So depending on the number of packets you expect to filter, it may be a solution to run tshark without any option, use text processing to obtain a list of frame numbers, and then convert this list into a display filter expression to be specified using -Y on a subsequent run of tshark on the same input file.

The last chance is to file an enhancement request (a bug of severity "Enhancement"), asking for making _ws.col.* (where * stands for any column name) usable not only as a parameter to -e option (which is possible now) but also as a filterable field in -Y display filter expressions.

(13 May '16, 10:46) sindy

0

Maybe you could pipe the tshark output to something like findstr or grep, depending on your platform? For example, suppose you were analyzing a capture file and wanted to find all frames where an http GET request contained a request for a file containing the string you mentioned, namely DCI. On Windows you could use something like one of these:

  • tshark.exe -r file.pcap -Y "http.request.method == \"GET\"" -o "gui.column.format:\"No.\",\"%m\",\"Info\",\"%i\"" | findstr DCI
  • tshark.exe custom_profile -r file.pcap -Y "http.request.method == \"GET\"" -T fields -e frame.number -e _ws.col.Info | findstr DCI
  • tshark.exe -C custom_profile -r file.pcap -Y "http.request.method == \"GET\"" | findstr DCI

When using the -o gui.column.format method, specify as many fields as you need. Run "tshark.exe -G column-formats" for more help. Similarly, when using the -T fields method, specify as many -e fields as you need. If you already have a profile configured to display the columns of interest, then you can just use the last method with the specified profile.

This method does rely on you being able to narrow down the possible choices of Info columns to match against by some means other than by directly filtering on information in the Info column, but it might suffice for your purposes?

is there any way to export all the columns to a text file?

Do note that I use a custom profile.

Maybe I'm missing your intent, but you can do this simply by redirecting the tshark output to a file, i.e.:

tshark -C custom_profile -Y "filter" > file.txt

answered 13 May '16, 10:27

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 13 May '16, 10:39