This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How can I get a list of all the VLAN IDs in a capture?

1
1

is it possible to have only one entry in packet table for specific vlan id even if we got 1000 packets of that vlan id , diiferent or same protocol & whatever be contents of that packet ?

Currently , we have to capture lot of packets then sort by vlan id & scroll through a long list to find what diferent vlan id's we received on our system.

asked 05 Nov '12, 00:41

manit's gravatar image

manit
15123
accept rate: 0%

edited 05 Nov '12, 12:49

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196


2 Answers:

1

You can't do that in the GUI, but that's were tshark can help. Capture your data with either Wiresahrk, dumpcap or tshark and write it to input.cap.

Then call tshark to extract the VLAN IDs.

tshark -r input.cap -T fields -e vlan.id

This will print all vlan IDs. However, you will get duplicates. So you need to filter those duplicates with a script and/or other tools.

Sort the values in numerical ascending order and eliminate duplicates.

Windows

powershell -command "tshark -r input.cap -T fields -e vlan.id | sort-object {[int] $_} -unique"

Linux

tshark -r input.cap -T fields -e vlan.id | sort -n -u

Regards
Kurt

answered 05 Nov '12, 01:09

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

that worked well , kurt .

There ain't a way to tell wireshark to show one row for specific vlan id ignoring other fields. I wanted following scenario: Let us say , we add another column called 'packet-count' to table . If a packet appears then check its vlan-id . If it has been encountered before , then add 1 to packet count else add another row with that vlan-id. That would mean analysing while capturing . Seems , that is not posssible.

(05 Nov '12, 01:37) manit

Seems , that is not posssible.

that's not possible, unless you change the code of Wireshark.

You can write a vlan dissector in Lua and add a field for your packet counter there. HOWEVER: That will not eliminate multiple packets with the same VLAN ID in the packet list.

BTW: You are talking about packet count and unique VLAN IDs. What do you actually want to know? How many VLAN IDs you captured and/or how many packets per VLAN ID? If so, why do you need that while you are capturing the data?

Maybe there is another way !?!

(05 Nov '12, 02:02) Kurt Knochner ♦

0

is it possible to have only one entry in packet table for specific vlan id even if we got 1000 packets of that vlan id , diiferent or same protocol & whatever be contents of that packet ?

No. That's not what the packet table is for. The "packet table" is a table of, well, packets, so there's one entry in the packet table for each packet.

It would be possible to have a statistics tap that displayed a table showing all VLAN IDs in the capture, just as we already have taps to show, for example, all Ethernet or IPv4 or IPv6 or... addresses in the capture. Taps can be written in Lua, although I'm not sure whether a Lua tap can pop up a table display in the GUI in Wireshark rather than just print it out as text in TShark.

answered 05 Nov '12, 12:48

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%