Bug ID |
10284
|
Summary |
_ws.col.Info field contains non-escaped quotes (for mDNS protocol, at least)
|
Classification |
Unclassified
|
Product |
Wireshark
|
Version |
1.11.x (Experimental)
|
Hardware |
x86
|
OS |
Windows 7
|
Status |
UNCONFIRMED
|
Severity |
Major
|
Priority |
Low
|
Component |
TShark
|
Assignee |
[email protected]
|
Reporter |
[email protected]
|
Build Information:
TShark 1.11.3 (v1.11.3-0-g1dd5d3a from master)
Copyright 1998-2014 Gerald Combs <[email protected]> and contributors.
This is free software; see the source for copying conditions. There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Compiled (64-bit) with GLib 2.34.1, with WinPcap (4_1_3), with libz 1.2.5, with
SMI 0.4.8, with c-ares 1.9.1, with Lua 5.2, without Python, with GnuTLS
2.12.18,
with Gcrypt 1.4.6, without Kerberos, with GeoIP.
Running on 64-bit Windows 7 Service Pack 1, build 7601, without WinPcap.
Intel(R) Core(TM) i7-3720QM CPU @ 2.60GHz, with 8133MB of physical
memory.
Built using Microsoft Visual C++ 10.0 build 40219
--
The _ws.col.Info field sometimes contains double quotes ("). This is the case
for mDNS, and perhaps other protocols. This breaks CSV parsers, since they
recognize double quotes as the field delimiter. Note, using -E quote=d is
typically necessary when creating valid CSV from tshark many output fields from
tshark can contain a comma.
Sample of problem (note the "QM" inside the _ws.col.Info field):
tshark -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E
separator=, -E header=y -E quote=d -Y "dns"
frame.number,_ws.col.Protocol,_ws.col.Info
"179","MDNS","Standard query 0x0000 PTR _googlecast._tcp.local, "QM" question"
"183","MDNS","Standard query 0x0000 PTR _googlecast._tcp.local, "QM" question"
Desired output:
tshark -T fields -e frame.number -e _ws.col.Protocol -e _ws.col.Info -E
separator=, -E header=y -E quote=d -Y "dns"
frame.number,_ws.col.Protocol,_ws.col.Info
"179","MDNS","Standard query 0x0000 PTR _googlecast._tcp.local, QM question"
"183","MDNS","Standard query 0x0000 PTR _googlecast._tcp.local, QM question"
I recommend ensuring that double quotes are never placed inside of a tshark
output field, to include the _ws.col fields. Is this an issue with the mDNS
dissector?
You are receiving this mail because:
- You are watching all bug changes.