OSQA is unmaintained. Help us figure out where to go from here.

I've got a Wireshark capture of AMQP traffic and when viewed in Wireshark the Info column has text such as:

connection.start-ok
connection.tune

etc.

I'm trying to figure out how I can get that field as text output? This is what I'm using so far and the output it provides:

tshark -V -d tcp.port==10004,amqp -T fields -e tcp.srcport -e tcp.dstport -e amqp.connection.method -r file.pcapng

56372   10004   2
10004   56372   5
56372   10004   6,7
10004   56372   8

So what I'd want is something like:

56372   10004   connection.start-ok
10004   56372   connection.tune
56372   10004   connection.tune-ok,connection.open

Any suggestions?

Thank-you.

asked 20 Apr, 11:09

gctaylor11's gravatar image

gctaylor11
6112
accept rate: 0%


You can use -e _ws.col.Info to display the contents of the Info column. In general, you can display the contents of any column using this method, just replace Info with the title of the column of interest.

permanent link

answered 20 Apr, 11:13

cmaynard's gravatar image

cmaynard ♦♦
9.3k938142
accept rate: 20%

Thanks for the suggestion.

Any idea why

-e _ws.col.Info

Is blank for me?

# tshark -V -d tcp.port==10004,amqp -T fields  -e _ws.col.Info -e tcp.srcport -e tcp.dstport  -r /tmp/1.mcc.b.AG1-1.pcapng  | head -n 30

I have tried tshark versions 1.8.10 and 1.10.14 on RHEL. I also tried on Windows(tshark v. 2.2.3) but got a different decoding error unrelated to original problem.

Parameter "tcp.port==10004" doesn't follow the template ">layer_type==selector>",">decode_as_protocol>"

(My left angle bracket malformation is not part of the problem. In the error they are displayed correct. )

(20 Apr, 13:54) gctaylor11

For versions of Wireshark prior to Wireshark 1.12.0, omit the _ws. prefix.

(20 Apr, 14:44) cmaynard ♦♦

Thanks much! Works with 1.10.14.

(20 Apr, 15:44) gctaylor11
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×831
×33
×5

question asked: 20 Apr, 11:09

question was seen: 357 times

last updated: 20 Apr, 15:44

p​o​w​e​r​e​d by O​S​Q​A