This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark 2.2.6 doesn’t display data.text field on some computer

0

I want to capture and display the UDP traffic on a certain port using tshark. I want to display the text content on each captured line.

I have two computers both running CentOS 7. I built from sources latest Wireshark 2.2.6 following the tutorial here: http://blog.jeffli.me/blog/2016/08/14/build-latest-wireshark-in-centos-7/

I installed the resulting RPMs on both computers. After that I ran (as root) the following tshark command on both computers:

/usr/local/bin/tshark -f "port 3901" -i any -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text

Then I ran the following on computer A (that's my desktop computer, running CentOS 7 in graphical mode):

echo "test message" | nc -u 192.168.224.60 3901

tshark showed the following line:

1   Apr 24, 2017 14:05:25.926688950 EEST    192.168.224.60  192.168.224.60  test message

That's exactly what I need.

Now.. I did exactly the same test on computer B (this is the remote computer running CentOS 7 in text mode), just the IP is different there.

tshark refuses to display the data.text field. It outputs a line like this, without data.text field:

1   Apr 24, 2017 11:06:19.947384620 UTC 192.168.0.60    192.168.0.60

I'm using the same nc version (6.4) on both computers.

I have no idea what could cause this different behavior of computer A vs B. What could prevent tshark on computer B from displaying the data.text?

[Edit]

I shared one capture from each computer below so you can compare them:

Computer A : https://goo.gl/kAyOrr

Computer B : https://goo.gl/Cuu8I9

I made the captures by running the following line on each computer:

tshark -i any -f "port 3901" -w "capture.pcap"

Then I sent two test messages on each computer:

echo "test message" | nc -u 192.168.0.2 3901
echo "test message again" | nc -u 192.168.0.2 3901

asked 24 Apr '17, 23:52

ciprian's gravatar image

ciprian
11115
accept rate: 0%

edited 25 Apr '17, 05:14

1

The data.text field is usually populated when no dissector can actually dissect the packet as a "fallback". It's possible that the host that doesn't display the message is dissecting it as something else, maybe down to a differetn preference.

Can you share captures from host A & B in a publicly accessible spot, e.g. CloudShark, Google Drive, DropBox etc.?

(25 Apr '17, 03:05) grahamb ♦

I edited my question as you suggested and I added the captured files.

(25 Apr '17, 05:17) ciprian

2 Answers:

1

Try enabling the data dissector's preference to show the data as text:

tshark -r computerA.pcap -o data.show_as_text:TRUE -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text

answered 25 Apr '17, 08:15

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Excelent! That -o data.show_as_text:TRUE did the job. I added that to my initial command and it started to show the data.text on any computer. Thanks a lot.

(25 Apr '17, 11:33) ciprian
1

Great!

By the way, if you don't want to have to specify that option on the command-line each time, you can permanently set it in Wireshark via Edit -> Preferences -> Protocols -> Data -> Show data as text.

(25 Apr '17, 11:39) cmaynard ♦♦

There is no graphical interface on the remote Linux host. But I'm fine with specifying that option in the command.

(26 Apr '17, 02:04) ciprian

Well, you can also change it by directly editing the Wireshark preferences file, typically located at $HOME/.wireshark/preferences on UNIX-compatible systems and %APPDATA%\Wireshark\preferences (or, if %APPDATA% isn't defined, %USERPROFILE%\Application Data\Wireshark\preferences) on Windows systems.

I only mention this for the benefit of anyone who might not necessarily want to specify extra options on the command-line.

(26 Apr '17, 07:36) cmaynard ♦♦

1

Both captures display the data for me, but as I'm using a single version of wireshark for both captures, this leads me even more strongly to think that there is something different about the setup on computer B.

Have you tried using computer B to display the capture from computer A, e.g. tshark -r computerA.pcap -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e data.text?

If this still doesn't display the data text, then either the application or the preferences must be different on B.

answered 25 Apr '17, 06:10

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

I ran the suggested command four times, two times on each of the two computers A and B, using alternatively both .pcap files. data.text was never displayed, no matter the computer or pcap file.

And where to look for those preferences? I have exactly the same wireshark version on both computers.

(25 Apr '17, 06:26) ciprian

Try letting tshark show the complete info to see what it is being dissected as:

tshark -r computerA.pcap.

(25 Apr '17, 06:44) grahamb ♦