Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

asked 2024-11-26 10:51:43 +0000

Christian42 gravatar image

Tshark seems to not apply dissectors since 4.2.x when filtering output

I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats

What I am doing:

  1. Capture packets with tshark: %PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n
  2. Convert the pcapng from step 1 with tshark to a CSV file: %PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=f and pipe the output into a file.
  3. I parse the CSV file using code outside of Wireshark

What happens:

With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data. With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the string"Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet. No errors are printed to stderr.

What I expect to happen:

Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.

Additional info:

Wireshark works fine, only Tshark text output is affected

If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9) with any Wireshark version (both 4.0.16 and 4.2.9 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.

Same problem with JSON instead of CSV

The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.

Questions:

  1. Am I missing a change in Wireshark?
  2. How would I start debugging this problem? Tshark doesn't print any errors.

Tshark seems to not apply dissectors since 4.2.x when filtering output

I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats

What I am doing:

  1. Capture packets with tshark: %PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n
  2. Convert the pcapng from step 1 with tshark to a CSV file: %PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=f and pipe the output into a file.
  3. I parse the CSV file using code outside of Wireshark

What happens:

With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data. With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the string"Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet. No errors are printed to stderr.

What I expect to happen:

Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.

Additional info:

Wireshark works fine, only Tshark text output is affected

If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9) with any Wireshark version (both 4.0.16 and 4.2.9 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.

Same problem with JSON instead of CSV

The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.

Questions:

  1. Am I missing a change in Wireshark?
  2. How would I start debugging this problem? Tshark doesn't print any errors.errors or warnings.

Tshark seems to not apply dissectors since 4.2.x when filtering output

I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats

What I am doing:

  1. Capture packets with tshark: %PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n
  2. Convert the pcapng from step 1 with tshark to a CSV file: %PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=f and pipe the output into a file.
  3. I parse the CSV file using code outside of Wireshark

What happens:

With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data. With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the string"Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet. No errors are printed to stderr.

What I expect to happen:

Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.

Additional info:

Wireshark works fine, only Tshark text output is affected

If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9) 4.2.9 or 4.4.2) with any Wireshark version (both 4.0.16 and 4.2.9 and 4.4.2 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.

(For Wireshark 4.4.2 I had to adapt some of the lua code)

Same problem with JSON instead of CSV

The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.

Questions:

  1. Am I missing a change in Wireshark?
  2. How would I start debugging this problem? Tshark doesn't print any errors or warnings.

Tshark seems to not apply dissectors since 4.2.x when filtering output

I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats

What I am doing:

  1. Capture packets with tshark: %PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n
  2. Convert the pcapng from step 1 with tshark to a CSV file: %PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=f and pipe the output into a file.
  3. I parse the CSV file using code outside of Wireshark

What happens:

With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data. With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the string"Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet. No errors are printed to stderr.

What I expect to happen:

Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.

Additional info:

Wireshark works fine, only Tshark text output is affected

If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9 or 4.4.2) with any Wireshark version (both 4.0.16 and 4.2.9 and 4.4.2 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.

(For Wireshark 4.4.2 I had to adapt some of the lua code)code because the dissectors were very old and incompatible with the newer lua versions in Wireshark 4.4.x)

Same problem with JSON instead of CSV

The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.

Questions:

  1. Am I missing a change in Wireshark?
  2. How would I start debugging this problem? Tshark doesn't print any errors or warnings.

Tshark seems to not apply dissectors since 4.2.x when filtering output

I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats

What I am doing:

  1. Capture packets with tshark: %PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n
  2. Convert the pcapng from step 1 with tshark to a CSV file: %PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=f and pipe the output into a file.
  3. I parse the CSV file using code outside of Wireshark

What happens:

With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data. With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the string"Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet. No errors are printed to stderr.

What I expect to happen:

Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.

Additional info:

Wireshark works fine, only Tshark text output is affected

If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9 or 4.4.2) with any Wireshark version (both 4.0.16 and 4.2.9 and 4.4.2 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.

(For Wireshark 4.4.2 I had to adapt some of the lua code because the dissectors were very old and incompatible with the newer lua versions in Wireshark 4.4.x)

Same problem with JSON instead of CSV

The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.

Questions:

  1. Am I missing a change in Wireshark?
  2. How would I start debugging this problem? Tshark doesn't print any errors or warnings.

Tshark seems to not apply dissectors since 4.2.x when filtering output

I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats

What I am doing:

  1. Capture packets with tshark: %PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n
  2. Convert the pcapng from step 1 with tshark to a CSV file: %PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=f and pipe the output into a file.
  3. I parse the CSV file using code outside of Wireshark

What happens:

With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data. With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the string"Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet. No errors are printed to stderr.

What I expect to happen:

Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.

Additional info:

Wireshark works fine, only Tshark text output is affected

If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9 or 4.4.2) with any Wireshark version (both 4.0.16 and 4.2.9 and 4.4.2 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.

(For Wireshark 4.4.2 I had to adapt some of the lua code because the dissectors were very old and incompatible with the newer lua versions in Wireshark 4.4.x)

Same problem with JSON instead of CSV

The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.

Questions:

  1. Am I missing a change in Wireshark?
  2. How would I start debugging this problem? Tshark doesn't print any errors or warnings.

Tshark seems to not apply dissectors since 4.2.x when filtering output

I'm stumbling over a behavior which seems to be different in Wireshark 4.2+ compared to 4.0.16 and older. It seems like Tshark 4.2+ is not applying our custom dissectors when converting to text file formats, whereas Wireshark is correctly applying the same dissectors to nicely view the exact same pcapng files. With Wirehark 4.0.x, the dissectors where applied also when converting to text file formats

What I am doing:

  1. Capture packets with tshark: %PROGRAMFILES%\Wireshark\tshark.exe -w [output pcapng file] -i [SPI interface 1] -i [SPI interface 2] -n
  2. Convert the pcapng from step 1 with tshark to a CSV file: %PROGRAMFILES%\Wireshark\tshark.exe -r [pcapng file from above] -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E header=y -E separator=, -E quote=d -E occurrence=f and pipe the output into a file.
  3. I parse the CSV file using code outside of Wireshark

What happens:

With Wireshark 4.0.x, the CSV file will contain correctly dissected packets, i.e., the columns _ws.col.protocol and _ws.col.info in the CSV file contain useful data. With Wireshark 4.2.9, the CSV file contains nothing useful. The column _ws.col.protocol contains the stringstring "Split SPI" for every single of thousands of packets, while _ws.col.info is just an empty string for every single packet. No errors are printed to stderr.

What I expect to happen:

Wireshark 4.2.9 should behave like 4.0.16 and older. I could not find anything related to this in the 4.2 release notes. If something is wrong with the dissectors, I would prefer to see an error message.

Additional info:

Wireshark works fine, only Tshark text output is affected

If I open the pcapng file (no matter whether it was traced with Wireshark 4.0.16 or 4.2.9 or 4.4.2) with any Wireshark version (both 4.0.16 and 4.2.9 and 4.4.2 work fine), the dissectors are correctly applied. I can see that both the "Protocol" and the "Info" column contain useful information, the same as the CVS files did with Tshark 4.0.16.

(For Wireshark 4.4.2 I had to adapt some of the lua code because the dissectors were very old and incompatible with the newer lua versions in Wireshark 4.4.x)

Same problem with JSON instead of CSV

The problem is present also when switching the output format to JSON using -T json. In this case also the contents of the JSON file look like the dissector is not working or not applied.

Questions:

  1. Am I missing a change in Wireshark?
  2. How would I start debugging this problem? Tshark doesn't print any errors or warnings.