Ask Your Question
0

Piping tshark to sed intermittently displays packet number in addition to filter.

asked 2017-11-25 21:10:20 +0000

colin gravatar image

I want to view just the ethernet address of the frame and then swap the ':' for '-' in the output. But the output seems to randomly display the frame number in addition to the MAC address. In the snip below you can see the frame number in the 4th frame and the 21st and 22nd. It seem to show up randomly. Is this a bug or something wrong with my syntax? The output without piping is fine, it's only when I pipe it into sed that thinks get wonky.

Note: dropping the '-l' from tshark only displays the frame number when piping to sed. That is also unexpected.

Here is my syntax:

tshark -i en10 -T fields -e eth.src -l | sed s/:/-/g

Does this:

72-81-eb-8e-6f-3a

72-81-eb-8e-6f-3a

72-81-eb-8e-6f-3a

4 72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-e8-4c-28

72-81-eb-e8-4c-28

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-8e-6f-3a

21 72-81-eb-8e-6f-3a

22 72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-8e-6f-3a

72-81-eb-8e-6f-3a

72-81-eb-8e-6f-3a

edit retag flag offensive close merge delete

Comments

What version of tshark are you running? I recall a bug related to this that was fixed long ago. Perhaps you're using a very old version of tshark?

cmaynard gravatar imagecmaynard ( 2017-11-25 23:25:19 +0000 )edit

I can reproduce it with a recent build from the master branch. See analysis in my answer.

Guy Harris gravatar imageGuy Harris ( 2017-11-26 00:43:43 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2017-11-25 23:12:40 +0000

Guy Harris gravatar image

updated 2017-11-25 23:24:48 +0000

This is a bug in Wireshark. Please file a bug report on this at the Wireshark Bugzilla.

The number being printed is a count of packets captured. TShark won't print that if it's printing the packet information directly to a terminal, but it will do so if it hasn't been run with -q and it's not writing to a terminal.

Unfortunately, if it's writing to a pipe, it doesn't know whether the program at the end of the pipeline is writing to the terminal, so it can't suppress the packet count only in that case.

Equally unfortunately, there's no way to say "print packet information to the standard output but don't print the packet count"; -q will suppress the packet count and the packet information. The bug here is that you have no way to get packet information without packet counts if you're writing to a pipe. (And, in fact, -T fields should be sufficient to indicate that packet information should be sent to the standard output.)

Dropping -l means that packet information is buffered within the print routines in the C library, meaning that it won't be sent to the standard output until 4096 or so bytes of packet information have been written; it's not suppressed, it's just delayed, possibly for a long time. The packet counts are directly written to the standard error by TShark, so they show up.

edit flag offensive delete link more

Comments

2

Packet counts going to stderr, so these could be deferred to /dev/null before the pipe. This should do the trick:

tshark -i en10 -T fields -e eth.src -l 2>/dev/nul | sed s/:/-/g
Jaap gravatar imageJaap ( 2017-11-26 10:19:50 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2017-11-25 21:10:20 +0000

Seen: 529 times

Last updated: Nov 25 '17