Niklas Abrahamsson (KI/EAB) wrote:
Is there a reason why you can't define the output based on what fields you want?
Because nobody's written and contributed code to do exactly that.
(There is an option that's similar, "-z proto,colinfo"; see below.)
With the filters already in place it seems like it shouldn't really be a problem.
like the -R command except that instead of filtering out all the
packets the packets and getting an output of the whole packets that
corresponds to the filtering. with some usage like: -Display
"frame.pkt_len"
"-Display" wouldn't work all that well, at least as long as we're using
"getopt()", as that's equivalent to "-D -i -s -p -l -a -y". It wouldn't
even work well with "getopt_long()", although "--display" would work in
that case. (Switching to "getopt_long()" might be a Good Thing, as
UN*X's tradition of one-letter options only started getting a bit old
and tired a while ago.)
which would then give you a list of only the packet
lengths of all the packets in a dump-file that pass the additional
filtering.
That works for "frame.pkt_len", but note that a packet could have more
than one instance of a given packet; what should it do if there's more
than one?
Note that you *can* do
-z proto,colinfo,frame.pkt_len,frame.pkt_len
without "-V" to *add* the value of "frame.pkt_len" to the summary
output. If there's more than one instance of a given field, it'll show
all of them.