Wireshark · Wireshark-dev: [Wireshark-dev] Re: byte range selections in tshark -e fields

Wireshark-dev: [Wireshark-dev] Re: byte range selections in tshark -e fields

From: John Thacker <johnthacker@xxxxxxxxx>

Date: Fri, 10 Jan 2025 09:21:05 -0500

On Fri, Jan 10, 2025 at 9:08 AM Cristian Constantin via Wireshark-dev <wireshark-dev@xxxxxxxxxxxxx> wrote:

wireshark GUI supports byte selection by means of indexing an protocol
field in display filters, e.g.:

"gsm_map.ms.autn[6] == 0x80"

is it possible to use expressions indexed like shown above for tshark
fields specified with -e option?

Yes, beginning in Wireshark-4.4.0:

https://www.wireshark.org/docs/relnotes/wireshark-4.4.0.html

They can also be used in custom columns, again beginning in 4.4.0.

what is the syntax for it?

The syntax is the same, e.g.

tshark -T fields -e "gsm_map.ms.autn[6] == 0x80" -r <file>

will produce a check mark if the test is true (and blank if not)

tshark -T fields -e "gsm_map.ms.autn[6]" -r <file>

will give the value of that byte.

Cheers,

John

References:
- [Wireshark-dev] byte range selections in tshark -e fields
  - From: Cristian Constantin

Prev by Date: [Wireshark-dev] Re: Stratoshark 0.9 and 1.0 release planning
Next by Date: [Wireshark-dev] Survey for Telephony / RRC Statistics
Previous by thread: [Wireshark-dev] byte range selections in tshark -e fields
Next by thread: [Wireshark-dev] Re: byte range selections in tshark -e fields
Index(es):
- Date
- Thread