Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

When parsing hci log with tshark, is it possible to get un-parsed, raw field values?

If I filter a log by (bthci_evt.code == 0x3e) && (btcommon.eir_ad.entry.type == 0x16), for most things, wireshark/tshark doesn't know how to parse the btcommon.eir_ad.entry.service_data value, so if I print it out, I just get the raw value, which is what I want.

However, for some things, like the "Google/Apple Exposure Notification Service" (UUID - 0xfdf6), it knows how to parse it, so then my tshark output for btcommon.eir_ad.entry.service_data comes out empty, thus messing up my CSV output.

Is there a way to force override parsing, so that I can get raw values for fields, even if tshark knows how to parse them? (I've encountered this issue for other fields besides btcommon.eir_ad.entry.service_data. E.g. btcommon.cod.minor_device_class if btcommon.cod.major_device_class == 0x06 (Imaging). In that case I still just want to get the raw byte value for btcommon.cod.minor_device_class instead of the bit-parsed values)