First time here? Check out the FAQ!

Ask Your Question
0

Tshark displays Size values with bytes units
 
  
 
  
 
 
 
 
 
 
    
        
        asked Jul 6 '2  
 
 insilicium gravatar image  
 
 
 
 
    
        
        updated Jul 6 '2  
 
 grahamb gravatar image  
 
 
 
 
 
The command below, with tshark version 3.2.3:
 
tshark -qtu -z conv,tcp -r file.pcap > output
 
gives me the output in the form (I omit the header):
 
10.xx.xxx.xxx:63150  <-> 10.yyy.yy.yy:104 0 0 6502 9474992 6502 9474992 05:47:57  684,
0000
10.xxx.xxx.xxx:49667 <-> 10.yy.yy.ss:104  0 0 5241 7611840 5241 7611840 09:21:49 1117,
0000
 
In turn, the tshark version 3.4.2 gives me another output:
 
10.xx.xxx.xxx:63150  <-> 10.yyy.yy.yy:104 0 0 bytes 6502 9.474kB 6502 9.474kB 05:47:57       684,
0000
10.xxx.xxx.xxx:49667 <-> 10.yy.yy.ss:104  0 0 bytes 5241 7.611kB 5241 7.611kB 09:21:49      1117,
0000
 
That is, the most recent version inserts a kB or bytes units. Is there any option to display the values like the tshark old version, with pure values, without units?
 
TIA.
 
Preview: (hide)
 
 
 
 
          
 
Comments
3.4.2 isn't the most recent version, that's currently 3.6.6.  That version still outputs the units though.
grahamb gravatar imagegrahamb (
    
        Jul 6 '2
    )
add a comment
 
 
 
 
 
 2 Answers
    
 
 
                    Sort by »
                     oldest newest most voted 
 
 
 
 
 
  
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Jul 6 '2  
 
 Chuckc gravatar image  
 
 
 
 
 
Issue 15360: human-readable numbers
 Commit e253e627: Use human-readable numbers for conversation stats
 
 tap-iousers.c:
 
    rx_bytes = format_size(iui->rx_bytes, FORMAT_SIZE_UNIT_BYTES, 0);
    tx_bytes = format_size(iui->tx_bytes, FORMAT_SIZE_UNIT_BYTES, 0);
    total_bytes = format_size(iui->tx_bytes + iui->rx_bytes, FORMAT_SIZE_UNIT_BYTES, 0);

 
There is support for FORMAT_SIZE_UNIT_NONE in 
str_util.h and str_util.c. An option to indicate raw output instead of human readable would be needed for tshark.
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
Thanks for the reply.
insilicium gravatar imageinsilicium (
    
        Jul 7 '2
    )
When we export to CSV format, the raw output works in Wireshark. However, it's not practical to use in a shell script.
insilicium gravatar imageinsilicium (
    
        Jul 7 '2
    )
add a comment
 
 
 
 
   
 
 
 
 
0
 
 
  
 
 
 
 
 
 
 
 
    
        
        answered Sep 7 '2  
 
 Chuckc gravatar image  
 
 
 
 
 
There is now a related open issue in Gitlab:
 18321: Precise byte counts no longer available for ‘tshark -z conv’
 
Preview: (hide)
 
 
 
 
         
        link
        
 
Comments
Fixed/closed with 19329: conversations_taps: Add preference for machine readable output
Chuckc gravatar imageChuckc (
    
        Mar 24 '5
    )
add a comment
 
 
 
 
 
 
 
 
 

    
        Your Answer
    

 
 Please start posting anonymously - your entry will be published after you log in or create a new account.

    

 
 
Add Answer
 
 
 
 
 
 
 
 
   
  
 
   
 
 
 
 
 
 
 
 
Question Tools
  
 
 
 
 
 subscribe to rss feed 
 
 
 
 
 
 
Stats
 

        Asked:  Jul 6 '2  
 
 
        Seen: 362 times 
 

        Last updated: Jul 06 '22 
 
 
 
Related questions
 
 
 Tshark conversation view output modification 
 
 how to invert two bytes in lua script dissector ? 
 
 How do I get and display packet data information at a specific byte from the first byte? 
 
 Deduplication in tshark -T ek [closed] 
 
 filtering out protocol, sequence number, and ack  using tshark 
 
 Statistics / Conversations / Name Resolution 
 
 Using tshark filters to extract only interesting traffic from 12GB trace 
 
 Any way to use cmd tshark for a gns3 wire? 
 
 authority RRs tshark 
 
 can I install only tshark?