Revision history [back]

Is there a bug in tshark pdml output?

I extract the capture data of my network interface (which seems correct and legal in the wireshark GUI) using tshark in the format of pdml. The command is "tshark.exe -i 3 -T pdml".

I notice a consistent issue in one of the pdml fields. the field is in the tcp layer:

"<field name="tcp.flags.str" showname="TCP Flags: ┬╖┬╖┬╖┬╖┬╖┬╖┬╖AP┬╖┬╖┬╖" size="2" pos="46" show="" "<="" p="">

the issue seems like part of the cml line is missing.

Is there a known issue with that? Should this line just be ignored?

Thank you in advance.

Is there a bug in tshark pdml output?

I extract the capture data of my network interface (which seems correct and legal in the wireshark GUI) using tshark in the format of pdml. The command is "tshark.exe -i 3 -T pdml".

I notice a consistent issue in one of the pdml fields. the field is in the tcp layer:

"<field name="tcp.flags.str" showname="TCP Flags: ┬╖┬╖┬╖┬╖┬╖┬╖┬╖AP┬╖┬╖┬╖" size="2" pos="46" show="" "<="" p="">

the issue seems like part of the cml line is missing.

Is there a known issue with that? Should this line just be ignored?

Thank you in advance.

edit: Wireshark version 3.4.3. OS windows 10 Enterprise.

For the console, I attempted to use the pdml output in my own dotnet program so I ran a tshark process and redirected the output to a dotnet stream. I tried it with a UDP data and it was fine. The problems started when I read TCP and TLS layers data.

Thanks to your question, I rechecked myself and ran tsahrk in a powershell and now I see the missing end of the fields, for some reason.

So now I know tshark does output the pdml correctly (and it is likely I am dropping part of the tshark fields in dotnet somewhere).

I will recheck my work and share if any issue that may interest the Wireshark community will rise. Thank you for the comment.