I need to get IS and ES Neighbors as well as Area Address for ISIS packets, but I do not see any Display Reference Filter for such. Can someone advise on how this may be done without parsing an ASCII text dump from tshark. asked 04 Apr '12, 07:23  clayton2710 |
One Answer:
Modify the ISIS dissector to add named fields for the items in question and then file a bug on the Wireshark Bugzilla with your patch, so that these changes get into a standard version of Wireshark, or file a bug on the Wireshark Bugzilla asking for that to be done and, once it's done, use that version of Wireshark? answered 04 Apr '12, 14:51  Guy Harris ♦♦ |
Perhaps, I should have been more concise with my question. These fields are already dissected, because they show up in the Details pane of Wireshark. However, there is no Display Filter Reference for the IS and ES Neighbors. I did finally find the Area Address reference. I need to process several hundred to thousand packet captures, so I obviously need automation. I can already look at the Details pane and see the data. Please do not suggest 'tshark -r (my-pcap.cap) -V' and then process those files for the data, it would be much too time consuming and take too much disk space. Many of these capture files have thousand to hundreds of thousand packets.
They may be dissected, but they do not have named fields corresponding to them, which is why there is no Display Filter Reference for them; Wireshark just puts them into the protocol tree as an unnamed text display, which means that the ONLY way to get them from an unmodified version of Wireshark is from the -V output from TShark.
Without making the changes I mentioned, there's nothing that can be done about the "much too time consuming", but, as both UN\*X systems and Windows support pipes in commands, you could try piping the output of TShark to a script rather than writing it to a file.