Version 3.0.6 -e no colon separator

asked 2019-11-12 09:32:15 +0000

Hello everyone, i am working on extracting tcp packets from a pcap file. I've been using 2.2.6 version of wireshark and have always retrieved the packet data using -e using tshark command.

To my surprise when i upgraded to 3.0.6 the packets are now not separated by colon.

Do i need to set something in wireshark for the colons to appear or to is there another command i need to add in my script?

i'm a 2 week old user and started in 2.2.6 your help is highly appreciated!

edit retag flag offensive close merge delete


Can you show the full command you're using?

grahamb gravatar imagegrahamb ( 2019-11-12 10:38:07 +0000 )edit

@grahamb, an example would be, using the capture file from Bug 15303:

tshark -r eth-fcs-status-bad-from-onboard-NIC.pcapng -Y data -T fields -e frame.number -e

With 2.6.6, you get:

119     00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00

With 3.0.6, you get:

119     00000000000000000000000000000000000000000000000000000000000000
cmaynard gravatar imagecmaynard ( 2019-11-12 15:33:43 +0000 )edit

If you look at frame 119 with a "-T" of ek, json or pdml, the data is available with ":" between bytes. Something changed with the "-e" option between versions.

$ tshark -r ./eth-fcs-status-bad-from-onboard-NIC.pcapng -Y frame.number==119 -T pdml | tail -10
  <proto name="fake-field-wrapper">
    <field name="data" value="00000000000000000000000000000000000000000000000000000000000000">
      <field name="" showname="Data: 000000000000000000000000000000000000000000000000\xe2\x80\xa6" size="31" pos="29" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="00000000000000000000000000000000000000000000000000000000000000"/>
      <field name="data.len" showname="Length: 31" size="0" pos="29" show="31"/>

bubbasnmp gravatar imagebubbasnmp ( 2019-11-13 06:17:33 +0000 )edit