This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Number of fields to output

0

Hi,

I'm using TSHARK with the -T fields option and it worked great until I had a few more fields to output.

If I delete a few of the fields ( NO matter which ones) it works.

Is there a number of maximum (12) fields that wireshark can output at once?

If so how can I change that?

asked 11 Feb '13, 22:32

WiresharkUser332's gravatar image

WiresharkUse...
11112
accept rate: 0%


One Answer:

0

As far as I know there is no limit in the number of fields. However there may be a limit of the command line length of your shell (rather large for Linux, much shorter for Windows).

  • What is you OS?
  • Can you post the tshark command that does not work?
  • Are there any error messages?

Regards
Kurt

answered 12 Feb '13, 02:36

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 12 Feb '13, 02:37

I'm using windows.

The tshark command is just "tshark.exe -r file path -T fields -e ip.src -e ip.dst ...."

I'm not getting any errors but in when I'm looking at the output, the fields after the 12th field just don't exists. All the fields are ok beacuse if I'm deleting the first fields it works great...

(12 Feb '13, 03:07) WiresharkUse...

O.K. can you please add ALL fields, so I can test myself?

BTW: What is your tshark version (tshark -v)?

The following command (16 fields) works for me on Windows (tshark 1.8.4):

tshark -nr input.pcap -T fields -e frame.number -e frame.time -e frame.len -e eth.type -e eth.src -e eth.dst -e ip.version -e ip.hdr_len -e ip.dsfield -e ip.len -e ip.id -e ip.flags -e ip.dst -e ip.src -e ip.proto -e ip.ttl

Does that work on your system as well? If so, it's probably related to the fields you are using (please post your tshark command with all parameters).

(12 Feb '13, 04:00) Kurt Knochner ♦

I was wrong the magic number is 15 not 12, the 16th field don't work.

I'm using version 1.8.1

(12 Feb '13, 09:41) WiresharkUse...

Some questions you did not yet answer. If you don't answer these questions, it's almost impossible to help you.

  • does my command (16 fields) work on your system? If no: Can you please post the output of the following command?

tshark -nr input.pcap -T fields -e frame.number -e frame.time -e frame.len -e eth.type -e eth.src -e eth.dst -e ip.version -e ip.hdr_len -e ip.dsfield -e ip.len -e ip.id -e ip.flags -e ip.dst -e ip.src -e ip.proto -e ip.ttl -E header=y

  • what is the full output of tshark -v
  • can you please post your command with all options

Some new questions:

  • how do you start tshark? From a DOS windows (if so, is it the standard command interpreter cmd.exe?)? From Java or any other programming language?
  • can you please upgrade to the latest 1.8. release. Maybe it's a bug that has been fixed.
(12 Feb '13, 11:22) Kurt Knochner ♦

Hi, first of all thank you for your help!

I'm using tshark 1.8.1 x32 on windows XP.

I tried your command and it worked after changing nr with r , nr is not recognize by my tshark. It worked but when I added another 2 fields they stop showing!

My real command is just a very simliar to what you post here I'm just trying to output a lot of fields from ip and tcp for a tcp analysis project ( I can't post it here now beacuse it is on a different computer)

(12 Feb '13, 23:28) WiresharkUse...

It worked but when I added another 2 fields they stop showing!

What are those two fields?

(13 Feb '13, 01:08) Kurt Knochner ♦

-e top.len -e tcp.seq

(13 Feb '13, 08:03) WiresharkUse...

It works on my system.

I'm sorry, but if you don't post the non-working output (I asked several times for it), I really can't help you. I need to see the output of the command listed below for any capture file that causes the effect on your system.

tshark -nr input.cap -T fields -e frame.number -e frame.time -e frame.len -e eth.type -e eth.src -e eth.dst -e ip.version -e ip.hdr_len -e ip.dsfield -e ip.len -e ip.id -e ip.flags -e ip.dst -e ip.src -e tcp.len -e tcp.seq -e tcp.ack -E header=y -E separator=;

You can use a sample capture file, if you don't want to expose your addresses/data.

You don't need to upgrade to 1.8.4. It works with 1.8.1 on my system as well, so it seems to be related to your PC.

BTW: You still did not answer the following question!

  • how do you start tshark? From a DOS windows (if so, is it the standard command interpreter cmd.exe?)? From Java or any other programming language?
(13 Feb '13, 08:34) Kurt Knochner ♦
showing 5 of 8 show 3 more comments