When parsing hci log with tshark, how to print only the btcommon.eir_ad.entry.uuid_16 associated with the btcommon.eir_ad.entry.type?
Consider the following command:
tshark -r hcilog.bin -Y 'bthci_evt.code == 0x3e && btcommon.eir_ad.entry.type == 0x16' -T fields -e bthci_evt.bd_addr -e btcommon.eir_ad.entry.uuid_16 -e btcommon.eir_ad.entry.service_data -E separator=, -E quote=d | sort | uniq
"bthci_evt.code == 0x3e" means it's an Bluetooth LE metadata "packet"
"btcommon.eir_ad.entry.type == 0x16" means it should be "Service Data" type
For the Service Data type, there should be exactly one UUID16 (16-bit value), followed by some arbitrary service data. E.g.
"f5:2d:e7:50:8c:e2","0x180a","1504742303"
The problem is, if there is that there can be other entries nested in the same packet, such as "btcommon.eir_ad.entry.type == 0x02" (incomplete UUID16 list), or "btcommon.eir_ad.entry.type == 0x03" (complete UUID16 list).
The btcommon.eir_ad.entry.uuid_16 output from tshark prints not only the UUID16 for the filtered btcommon.eir_ad.entry.type == 0x16 type, but any other instances that may exist for type 2 or 3. E.g.
"ef:5b:a1:1d:47:f4","0x180a,0x180f","63"
In the past I've used "-E occurrence=f" to de-duplicate things. But that's not valid in this case. Based on the data, I can see that there isn't any guaranteed ordering for whether the type 2/3 or type 0x16 appears first in the "packet". Sometimes 0x16 is first, and sometimes it's second. So if I used any occurrence value, it will be wrong.
What I really want is to only get the btcommon.eir_ad.entry.uuid_16 value that's specifically associated with the btcommon.eir_ad.entry.type == 0x16. Is there any way to do this?