Hello,
Currently when you run with the following options:
tshark -i eth5 -T fields -e eth.dst -e eth.src -e eth.type -e data.data
You get the following output:
00:80:52:00:00:00 00:80:52:00:ff:ff 0x814f 00:00:00:00:01:12:00:00
I can see that the "data" being selected from the pdml field (see pdml dump below) is the "show" data. But what I'd really like is the "value" data. This would give me a clean output without the "0x" or ":"'s in the data. Like this:
008052000000 00805200ffff 814f 0000000001120000
Ideally it'd be nice if it was possible to select which of the formats of the field were output. I've been trying to figure out where I need to make the change to accomplish this but am having some difficulty. I know the output is coming from proto_tree_write_fields in print.c. But I don't understand the format of the tree that contains the data to retrieve.
Could someone point me in the right direction?
Much thanks,
Mike
Here is an example -T pdml dump a frame for reference:
<?xml version="1.0"?>
<pdml version="0" creator="wireshark/1.0.6">
<packet>
<proto name="eth" showname="Ethernet II, Src: 00:80:52:00:ff:ff (00:80:52:00:ff:ff), Dst: 00:80:52:00:00:00 (00:80:52:00:00:00)" size="14" pos="0">
<field name="eth.dst" showname="Destination: 00:80:52:00:00:00 (00:80:52:00:00:00)" size="6" pos="0" show="00:80:52:00:00:00" value="008052000000">
<field name="eth.addr" showname="Address: 00:80:52:00:00:00 (00:80:52:00:00:00)" size="6" pos="0" show="00:80:52:00:00:00" value="008052000000"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="0" show="0" value="0" unmaskedvalue="008052"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="0" show="0" value="0" unmaskedvalue="008052"/>
</field>
<field name="eth.src" showname="Source: 00:80:52:00:ff:ff (00:80:52:00:ff:ff)" size="6" pos="6" show="00:80:52:00:ff:ff" value="00805200ffff">
<field name="eth.addr" showname="Address: 00:80:52:00:ff:ff (00:80:52:00:ff:ff)" size="6" pos="6" show="00:80:52:00:ff:ff" value="00805200ffff"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit: Individual address (unicast)" size="3" pos="6" show="0" value="0" unmaskedvalue="008052"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit: Globally unique address (factory default)" size="3" pos="6" show="0" value="0" unmaskedvalue="008052"/>
</field>
<field name="eth.type" showname="Type: Unknown (0x814f)" size="2" pos="12" show="0x814f" value="814f"/>
</proto>
<proto name="fake-field-wrapper">
<field name="data" value="0000000001120000"/>
<field name="data.data" showname="Data: 0000000001120000" size="8" pos="14" show="00:00:00:00:01:12:00:00" value="0000000001120000"/>
</proto>
</packet>