This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Using two instances of a field as different custom columns

1

Hi folks!

What I want to do, is to add 2 custom columns to the WireShark view. The columns must contain a custom value which I add there by performing the following steps:

  1. Choose the relevant packet
  2. Open the relevant layer (GSM Mobile Application in my case)
  3. Click right mouse button on the desired field and choose "Apply as filter"alt text
  4. Then I check what appear in the filter edit field and copy this value (in this case: gsm_map.address.digits) List item
  5. Then I go to Edit->Preferences->Columns. Click on "Add", choose "Custom" Field Type and then use the field name acquired in step 4 (gsm_map.address.digits)

This way working fine, however a problem arise when I want to create 2 custom columns where the field name have the same name. For example consider the following screenshot: alt text

Here, I have 2 fields with similar name (gsm_map.address.digits). Obviously I cannot use the same name twice since it only will show the value which was assigned to the last appearing field.

Is there any way to solve this limitation?

Thanks!

asked 25 Mar '12, 05:10

Eugene%20S's gravatar image

Eugene S
21225
accept rate: 0%

edited 25 Mar '12, 07:19

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196

One Answer:

2

You'd have to create two columns with different "Field occurrence" values - 1 for the first "Address digits" field, 2 for the second. The dialog that pops up for "Columns" in Edit->Preferences has, for custom columns, a "Field occurrence" field to the right of the "Field name" field. That's where you'd put the "Field occurrence" value.

If the dialog doesn't have that field, it might have been added in a later version of Wireshark than the one you're using, in which case you're out of luck.

(Unfortunately, there's no way to, for example, say "the occurrence of gsm_map.address.digits in the networkNode-Number tree" or something such as that. I suspect that's what you really want, rather than the first and second occurrences of the field.)

answered 25 Mar '12, 07:17

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

edited 25 Mar '12, 11:51

@Guy Harris Thank you for your comment. However I'm not sure I understood your explanation. Could you please rephrase it? Thank you!

(25 Mar '12, 07:50) Eugene S

OK, I've given more details.

(25 Mar '12, 11:51) Guy Harris ♦♦

@Guy Harris You are right! I was using pretty old version of Wireshark. I just installed the last stable release (1.6.5) and now I can see the "Field Occurrence" you were referring to. Actually in this version both values already appeared in my custom created field by default. Thanks!

(25 Mar '12, 14:42) Eugene S

In 1.6, if you don't specify an occurrence, it might show all occurrences (if that's what you mean by "both values already appeared in my custom created field by default").

(25 Mar '12, 17:44) Guy Harris ♦♦

@Guy Harris Yes, that's exactly what I mean!

(26 Mar '12, 00:44) Eugene S