This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Resolving protocol names in custom tshark display filter

0

I want to parse the standard header outputs of tshark. Since the default doesn't work, I am using a custom field parser that does almost the same thing. What I am missing is the resolution of the name of the protocol. My command is:

sudo tshark -b 256 -P -T fields -e frame.time_epoch -e ip.src -e ip.dst -e ip.proto -e ip.len -e col.Info -E separator=';' -b filesize:65535 -b files:10 -w tshark_tmp

This almost works, what I get is (this example is capturing two pings):

1378869929.862628000;192.168.78.252;192.168.78.53;1;84;Echo (ping) request  id=0x0abe, seq=65/16640, ttl=64
1378869929.863188000;192.168.78.53;192.168.78.252;1;84;Echo (ping) reply    id=0x0abe, seq=65/16640, ttl=64 (request in 1)

The same two pings look like this in the normal, no custom field tshark:

0.000000 192.168.78.252 -> 192.168.78.53 ICMP 98 Echo (ping) request  id=0x0abe, seq=13/3328, ttl=64
0.000707 192.168.78.53 -> 192.168.78.252 ICMP 98 Echo (ping) reply    id=0x0abe, seq=13/3328, ttl=64 (request in 1)

The main difference that I need to solve is in mine I get 84 for the protocol, whereas tshark prints ICMP 98. I could implement my own lookup table, but there is a large number of protocols and tshark already knows how to decode them, I just need to figure out how to get that in my parsing.

asked 10 Sep '13, 21:54

jdwiegman's gravatar image

jdwiegman
31226
accept rate: 100%


2 Answers:

1

Found the answer

-e col.Protocol

Like always happens, you work on a problem for days, post the question then find the answer.

answered 10 Sep '13, 22:00

jdwiegman's gravatar image

jdwiegman
31226
accept rate: 100%

1

As of the 1.11.x and 1.12 versions of tshark, the field names are "_ws.col.Protocol" and "_ws.col.Info", instead of "col.Protocol" and "col.Info".

Example:

tshark -T fields -e _ws.col.Protocol -e _ws.col.Info

Source: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=10201

answered 19 Jun '14, 17:00

CraigGarrett's gravatar image

CraigGarrett
8613
accept rate: 0%

edited 20 Jun '14, 10:19