This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Defining a value type for a specific field

1

Hi everyone!

The values returned by GUI and tshark command in -T fields and -T PDML modes are not always and necessarily the same. The following photo shows one of these fields (MNC-value):

alt text

GUI shows the value "Telecom Deutschland GmbH (01)", the -T fields -e e212.mnc returns "1" and the PDML representation returns the following output, in which the value is represented in hex:

   <field name="e212.mnc" showname="Mobile Network Code (MNC): Telekom Deutschland GmbH (01)" size="2" pos="187" show="1" value="f210"/>

I would like to know if there is any way to tell tshark which one of these three outputs I would like to receive in the outcome (presented respectively as showname, show, value in PDML output); basically, if it is possible to ask tshark to return the value of this specific field in HEX or integer.

We are hoping, this could be achieved by using something like this on the command line -T fields -e e212.mnc ==> -T fields -e hex:e212.mnc

I would really appreciate any feedback and help on this matter.

asked 05 Jul '16, 01:56

arashdalir's gravatar image

arashdalir
51126
accept rate: 0%

Placing the same question another time doesn't help get it answered (and the fact that another member of the team is asking it doesn't change anything). Normally the marshals of the site would close one of them as a duplicate.

The idea of output format modifier is itself good but you'll have to file it as an enhancement request at Wireshark bugzilla. In parallel, you may file another bug, asking for mere correction of what you consider a wrong display (showing just 1 instead of 01)

For the moment, you'll have to use a post-process (script) to achieve your goal.

But I wonder whether it is really possible that the mnc value would be just a single nibble in size? I.e. is there really so much semantic difference between 1 and 01?

(05 Jul '16, 10:30) sindy

Well technically this is a new question. We are now looking for another solution and approach. We have been working on a solution and have even designed our own internal one (kind of a result modifier - still just a concept), but we are not sure if this is something useful for the community and wanted to see if someone else knows about an already implemented solution and also ask for feedback. As we are not sure if this is something, which is already available, we thought asking about it would be better than requesting an existing feature. Yes, 1 and 01 are mathematically the same, but technically not. If a 1-digit MNC value is presented in the traffic, it might be considered an erroneous entity, as MNC should be 2 digits (and in newer versions I believe even 3 digits) long. So the semantic interpretation is different.

(06 Jul '16, 00:55) arashdalir

As per Sindy's suggestion, I've created the following enhancement request in bugzilla: https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=12606

(11 Jul '16, 02:56) arashdalir