This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

I was looking into doing some post processing work on some wireshark logs I captured containing VMF packets. I noticed that packets I found that the logs outputted from wireshark have a 255 character limit per column and some packet data is being truncated. The issue is present in the summary as well when I'm doing live data captures. I'm using an older version of wireshark(v1.10.3). Would updating to a newer version of wireshark have a much larger limit?

asked 14 Jun '17, 08:32

MartinGD's gravatar image

MartinGD
6112
accept rate: 0%


From the latest column-info.h:

#define COL_MAX_LEN 256
#define COL_MAX_INFO_LEN 4096

As far as I can tell, these are the exact same values that were specified in 1.10 though, so if the column data of interest is anything but the Info column, you'll still be limited to COL_MAX_LEN.

To avoid truncation, you could try to:

  • Use tshark instead of Wireshark and specify the fields of interest as the output instead of relying on the column data. For example:

    tshark -r foo.pcap -T fields -e proto1.field1 -e proto1.field2 -e proto2.field1 ...

    You can specify as many fields as you wish including any custom columns that might have been truncated. For those columns that were not being truncated, you can use -e _ws.col.Foo where Foo is the name of the column, e.g., -e _ws.col.Info. Refer to the tshark man page for more information.

  • Compile Wireshark yourself, but with a larger value for COL_MAX_LEN.

permanent link

answered 14 Jun '17, 10:34

cmaynard's gravatar image

cmaynard ♦♦
9.3k1038142
accept rate: 20%

I'm not sure if the _ws.col.Foo format is supported in 1.10.

(14 Jun '17, 10:42) grahamb ♦

Right, I think it was originally just col.Foo back then. The _ws. prefix was added with the release of Wireshark 1.12.0.

(14 Jun '17, 10:44) cmaynard ♦♦

Also keep in mind that any given proto item's string representation is limited to 240 chars--I think that will also apply to tshark's -e output.

/** the maximum length of a protocol field string representation */
#define ITEM_LABEL_LENGTH       240
(14 Jun '17, 11:11) JeffMorriss ♦

Ah good point. I suppose the idea won't work without increasing that value too.

(14 Jun '17, 11:25) cmaynard ♦♦

Thanks for the input! Editing COL_MAX_LEN and recompiling wireshark seems to of done the trick.

(14 Jun '17, 12:18) MartinGD
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×637
×36
×13

question asked: 14 Jun '17, 08:32

question was seen: 1,372 times

last updated: 14 Jun '17, 12:18

p​o​w​e​r​e​d by O​S​Q​A