This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark - Exporting values of all fields with same name within a list

With reference to the below S1AP pcap log snapshot

The highlighted field above is s1ap.iE_Extensions which contains a list of items. I need to use Tshark to extract the id: field (s1ap.id) from Item0 and Item1 along with some other fields.

My tshark command looks like below as of now -

tshark -r test.pcap -Y "s1ap.procedureCode == 9" -T fields -e frame.time -e s1ap.procedureCode -E header=y -E separator=, > pcap_to_csv.csv

need help with exapanding the command so as to get the above fields (s1ap.id) for each item in s1ap.iE_Extensions list included in the exported file

tshark

asked 18 May '16, 07:56

wire990099
11●2●3●6
accept rate: 0%

One Answer:

Just add the -e s1ap.id once, you should get a list of all these fields found in the frame. "Should" because I do that with usb.iso.data which exists multiple times in a frame, but I don't output anything else so I cannot say how the values of s1ap.id will be arranged among the values of the other fields and separated from each other.

answered 18 May '16, 08:15

sindy
6.0k●4●8●51
accept rate: 24%