This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Packet data being truncated in Columns

0

I was looking into doing some post processing work on some wireshark logs I captured containing VMF packets. I noticed that packets I found that the logs outputted from wireshark have a 255 character limit per column and some packet data is being truncated. The issue is present in the summary as well when I'm doing live data captures. I'm using an older version of wireshark(v1.10.3). Would updating to a newer version of wireshark have a much larger limit?

asked 14 Jun '17, 08:32

MartinGD's gravatar image

MartinGD
6112
accept rate: 0%

One Answer:

0

From the latest column-info.h:

#define COL_MAX_LEN 256
#define COL_MAX_INFO_LEN 4096

As far as I can tell, these are the exact same values that were specified in 1.10 though, so if the column data of interest is anything but the Info column, you'll still be limited to COL_MAX_LEN.

To avoid truncation, you could try to:

  • Use tshark instead of Wireshark and specify the fields of interest as the output instead of relying on the column data. For example:

    tshark -r foo.pcap -T fields -e proto1.field1 -e proto1.field2 -e proto2.field1 ...

    You can specify as many fields as you wish including any custom columns that might have been truncated. For those columns that were not being truncated, you can use -e _ws.col.Foo where Foo is the name of the column, e.g., -e _ws.col.Info. Refer to the tshark man page for more information.

  • Compile Wireshark yourself, but with a larger value for COL_MAX_LEN.

answered 14 Jun '17, 10:34

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

I'm not sure if the _ws.col.Foo format is supported in 1.10.

(14 Jun '17, 10:42) grahamb ♦

Right, I think it was originally just col.Foo back then. The _ws. prefix was added with the release of Wireshark 1.12.0.

(14 Jun '17, 10:44) cmaynard ♦♦

Also keep in mind that any given proto item's string representation is limited to 240 chars--I think that will also apply to tshark's -e output.

/** the maximum length of a protocol field string representation */
#define ITEM_LABEL_LENGTH       240
(14 Jun '17, 11:11) JeffMorriss ♦

Ah good point. I suppose the idea won't work without increasing that value too.

(14 Jun '17, 11:25) cmaynard ♦♦

Thanks for the input! Editing COL_MAX_LEN and recompiling wireshark seems to of done the trick.

(14 Jun '17, 12:18) MartinGD