tshark 2.2.6 doesn’t display data.text field on some computer

Question

I want to capture and display the UDP traffic on a certain port using tshark. I want to display the text content on each captured line.

I have two computers both running CentOS 7. I built from sources latest Wireshark 2.2.6 following the tutorial here: http://blog.jeffli.me/blog/2016/08/14/build-latest-wireshark-in-centos-7/

I installed the resulting RPMs on both computers. After that I ran (as root) the following tshark command on both computers:

/usr/local/bin/tshark -f "port 3901" -i any -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text

Then I ran the following on computer A (that's my desktop computer, running CentOS 7 in graphical mode):

echo "test message" | nc -u 192.168.224.60 3901

tshark showed the following line:

1   Apr 24, 2017 14:05:25.926688950 EEST    192.168.224.60  192.168.224.60  test message

That's exactly what I need.

Now.. I did exactly the same test on computer B (this is the remote computer running CentOS 7 in text mode), just the IP is different there.

tshark refuses to display the data.text field. It outputs a line like this, without data.text field:

1   Apr 24, 2017 11:06:19.947384620 UTC 192.168.0.60    192.168.0.60

I'm using the same nc version (6.4) on both computers.

I have no idea what could cause this different behavior of computer A vs B. What could prevent tshark on computer B from displaying the data.text?

[Edit]

I shared one capture from each computer below so you can compare them:

Computer A : https://goo.gl/kAyOrr

Computer B : https://goo.gl/Cuu8I9

I made the captures by running the following line on each computer:

tshark -i any -f "port 3901" -w "capture.pcap"

Then I sent two test messages on each computer:

echo "test message" | nc -u 192.168.0.2 3901
echo "test message again" | nc -u 192.168.0.2 3901

Accepted Answer

1

Try enabling the data dissector's preference to show the data as text:

tshark -r computerA.pcap -o data.show_as_text:TRUE -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text

answered 25 Apr '17, 08:15

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%

Excelent! That -o data.show_as_text:TRUE did the job. I added that to my initial command and it started to show the data.text on any computer. Thanks a lot.

(25 Apr '17, 11:33) ciprian

1

Great!

By the way, if you don't want to have to specify that option on the command-line each time, you can permanently set it in Wireshark via Edit -> Preferences -> Protocols -> Data -> Show data as text.

(25 Apr '17, 11:39) cmaynard ♦♦

There is no graphical interface on the remote Linux host. But I'm fine with specifying that option in the command.

(26 Apr '17, 02:04) ciprian

Well, you can also change it by directly editing the Wireshark preferences file, typically located at $HOME/.wireshark/preferences on UNIX-compatible systems and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't defined, %USERPROFILE%\Application Data\Wireshark\preferences) on Windows systems.

I only mention this for the benefit of anyone who might not necessarily want to specify extra options on the command-line.

(26 Apr '17, 07:36) cmaynard ♦♦

Answer 2

Both captures display the data for me, but as I'm using a single version of wireshark for both captures, this leads me even more strongly to think that there is something different about the setup on computer B.

Have you tried using computer B to display the capture from computer A, e.g. tshark -r computerA.pcap -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text?

If this still doesn't display the data text, then either the application or the preferences must be different on B.