Hi guys, I'm testing tshark 1.10.14 on Centos 7.2.1511 and tshark 1.0.15 on Centos 5.11. I'd like to save for a range of 10 minutes or more mysql.user, ip.src and mysql.query. I arrived to test these commands:
ADDITION I'm able to capture mysql.user with these comands:
The second configuration capture different records: records with only mysql.user and ip.src and records with ip.src and mysql.query. @Jaap and @sindy confirmed only with an ad hoc script I can create a unique line with all three fields. Is improvable the second configuration? Thanks. asked 24 Oct '16, 09:38  bilardi edited 26 Oct '16, 01:34 |
This is a static archive of our old Q&A Site.
Please post any new questions and answers at ask.wireshark.org.
Do you have an (unfiltered) capture taken here, where the user field is filled in? Then you should be able to reverse engineer what you'll need to change.
@Jaap, I added the paragraph ADDITION. I'd like to be sure that I can only use the second configuration to elaborate the output with an ad hoc script to create records with the format mysql.user\tip.src\tmysql.query, or does it exist a tshark configuration to incorporate the action of this ad hoc script?
are you sure that
mysql.userandmysql.queryexist in the same PDU? The thing is that the dissectors print fields of individual packets or reassembled PDUs, not from established sessions. So if a field is not present in a given packet (or a reassembled PDU), it is not printed for that packet/PDU even if the packet/PDU belongs to a session whose other packets do contain that field.If a PDU is split into several packets, field of that PDU are printed for the last packet of the PDU.
Thank you @sindy: you confirmed me that only with an ad hoc script I can create one line mysql.user\tip.src\tmysql.query because the output data gives me two different lines: mysql.user\tip.src and \tip.src\tmysql.query.