This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to output Info Column as text for AMQP protocol?

0

I've got a Wireshark capture of AMQP traffic and when viewed in Wireshark the Info column has text such as:

connection.start-ok
connection.tune

etc.

I'm trying to figure out how I can get that field as text output? This is what I'm using so far and the output it provides:

tshark -V -d tcp.port==10004,amqp -T fields -e tcp.srcport -e tcp.dstport -e amqp.connection.method -r file.pcapng

56372 10004 2 10004 56372 5 56372 10004 6,7 10004 56372 8

So what I’d want is something like:

56372   10004   connection.start-ok
10004   56372   connection.tune
56372   10004   connection.tune-ok,connection.open

Any suggestions?

Thank-you.

asked 20 Apr ‘17, 11:09

gctaylor11's gravatar image

gctaylor11
6112
accept rate: 0%


One Answer:

0

You can use -e _ws.col.Info to display the contents of the Info column. In general, you can display the contents of any column using this method, just replace Info with the title of the column of interest.

answered 20 Apr '17, 11:13

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks for the suggestion.

Any idea why

-e _ws.col.Info

Is blank for me?

# tshark -V -d tcp.port==10004,amqp -T fields  -e _ws.col.Info -e tcp.srcport -e tcp.dstport  -r /tmp/1.mcc.b.AG1-1.pcapng  | head -n 30

I have tried tshark versions 1.8.10 and 1.10.14 on RHEL. I also tried on Windows(tshark v. 2.2.3) but got a different decoding error unrelated to original problem.

Parameter "tcp.port==10004" doesn't follow the template ">layer_type==selector>",">decode_as_protocol>"

(My left angle bracket malformation is not part of the problem. In the error they are displayed correct. )

(20 Apr '17, 13:54) gctaylor11

For versions of Wireshark prior to Wireshark 1.12.0, omit the _ws. prefix.

(20 Apr '17, 14:44) cmaynard ♦♦

Thanks much! Works with 1.10.14.

(20 Apr '17, 15:44) gctaylor11