Ask Your Question
0

Tshark displays Size values with bytes units

asked 2022-07-06 14:55:38 +0000

insilicium gravatar image

updated 2022-07-06 15:10:24 +0000

grahamb gravatar image

The command below, with tshark version 3.2.3:

tshark -qtu -z conv,tcp -r file.pcap > output

gives me the output in the form (I omit the header):

10.xx.xxx.xxx:63150  <-> 10.yyy.yy.yy:104 0 0 6502 9474992 6502 9474992 05:47:57  684,
0000
10.xxx.xxx.xxx:49667 <-> 10.yy.yy.ss:104  0 0 5241 7611840 5241 7611840 09:21:49 1117,
0000

In turn, the tshark version 3.4.2 gives me another output:

10.xx.xxx.xxx:63150  <-> 10.yyy.yy.yy:104 0 0 bytes 6502 9.474kB 6502 9.474kB 05:47:57       684,
0000
10.xxx.xxx.xxx:49667 <-> 10.yy.yy.ss:104  0 0 bytes 5241 7.611kB 5241 7.611kB 09:21:49      1117,
0000

That is, the most recent version inserts a kB or bytes units. Is there any option to display the values like the tshark old version, with pure values, without units?

TIA.

edit retag flag offensive close merge delete

Comments

3.4.2 isn't the most recent version, that's currently 3.6.6. That version still outputs the units though.

grahamb gravatar imagegrahamb ( 2022-07-06 15:10:29 +0000 )edit
add a comment

1 Answer

Sort by » oldest newest most voted
0

answered 2022-07-06 15:29:47 +0000

Chuckc gravatar image

Issue 15360: human-readable numbers
Commit e253e627: Use human-readable numbers for conversation stats

tap-iousers.c:

    rx_bytes = format_size(iui->rx_bytes, FORMAT_SIZE_UNIT_BYTES, 0);
    tx_bytes = format_size(iui->tx_bytes, FORMAT_SIZE_UNIT_BYTES, 0);
    total_bytes = format_size(iui->tx_bytes + iui->rx_bytes, FORMAT_SIZE_UNIT_BYTES, 0);

There is support for FORMAT_SIZE_UNIT_NONE in str_util.h and str_util.c. An option to indicate raw output instead of human readable would be needed for tshark.

edit flag offensive delete link more

Comments

Thanks for the reply.

insilicium gravatar imageinsilicium ( 2022-07-07 12:24:04 +0000 )edit

When we export to CSV format, the raw output works in Wireshark. However, it's not practical to use in a shell script.

insilicium gravatar imageinsilicium ( 2022-07-07 12:31:10 +0000 )edit

There is now a related open issue in Gitlab:
18321: Precise byte counts no longer available for ‘tshark -z conv’

Chuckc gravatar imageChuckc ( 2022-09-07 02:49:54 +0000 )edit
add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

subscribe to rss feed

Stats

Asked: 2022-07-06 14:55:38 +0000

Seen: 331 times

Last updated: Jul 06 '22

Related questions

Tshark conversation view output modification

how to invert two bytes in lua script dissector ?

How do I get and display packet data information at a specific byte from the first byte?

Deduplication in tshark -T ek [closed]

filtering out protocol, sequence number, and ack using tshark

Statistics / Conversations / Name Resolution

Using tshark filters to extract only interesting traffic from 12GB trace

Any way to use cmd tshark for a gns3 wire?

authority RRs tshark

can I install only tshark?