This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

If a Tshark field occurs more than once for a single packet, how can I specify the one do I need?

0

In Wireshark, in packet details, sometimes a field occurs more than once, i.e. sometimes it is nested inside more than one nodes. If I want to read the .pcap file in tshark and filter a particular field which occurs more than once under different nodes, can I specify which one I want?

For example, in the following screenshot, there is a field called Good Checksum nested under a node called Checksum. JUST SUPPOSE that Good Checksum also occurred at another place under another node, for the same node, say theOtherNode. The Tshark field for Good Checksum is tcp.checksum_good. So the normal Tshark command that I know of is

tshark -r filename.pcap -T fields -e tcp.checksum_good

The question is, that in Tshark, can I specify that I want the tcp.checksum_good nested under Checksum, and not the one nested under theOtherNode?

alt text

asked 04 Oct '16, 00:09

Jesss's gravatar image

Jesss
51141720
accept rate: 0%

2 Answers:

1

Unfortunately, currently there is no way to do so for fields which occur at the same encapsulation level. For your particular case where the two identically named fields exist at different encapsulation levels, you could possibly "misuse" MATE, which allows to specify the list of transport layers below which no extraction is performed, to extract your desired field into a new one like mate.mypdu.myfield which you would then refer to using -e. But the possibility would still depend on the particular arrangement of the protocols in the frame, and the MATE fields are always ASCII regardless what the source fields' format was.

answered 04 Oct '16, 01:51

sindy's gravatar image

sindy
6.0k4851
accept rate: 24%

1

The tshark -E occurrence=f|l|a option allows you to specify the first, last or all occurrences of each field. This setting is for all specified fields, not on a per field basis.

answered 04 Oct '16, 02:20

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

True, but the OP wanted to filter on a particular occurrence, while -E occurrence only controls what the -e shows.

(04 Oct '16, 02:29) sindy

It wasn't clear to me if the OP did want to filter as in display or capture filter or filter the output to restrict the occurrence of a repeated field. Unfortunately the term filter is used (and misused) in many ways by Wireshark folks.

If the occurrence the OP wants displayed is the first (or last) then the issue is resolved :-)

(04 Oct '16, 02:47) grahamb ♦