Wireshark-users: Re: [Wireshark-users] customizing tshark -Ttext output

From: Guy Harris <guy@xxxxxxxxxxxx>
Date: Wed, 14 May 2008 11:01:07 -0700
Elof Ofel wrote:
I would like to customize the output of my tshark a bit...

"-Ttext" means "display what would show up in the packet list" if you don't use "-V", and "display what would show up in the packet details window for each packet" if you do use "-V" - i.e., it's the equivalent of exporting to a text file in Wireshark - so its customizability is limited.

1. Where do I find a reference of the most useful field keywords to use? (for the -e option) Like the timestamp, the one-line-summary-info, packet length, TTL-values, etc?

There isn't one. There's a list of *all* fields, but that's huge (210037 lines, if I do "man wireshark-filter | col -b | wc -l").

The packet arrival time stamp, as an absolute time, is frame.time.

The one-line-summary info isn't any filterable field.

The packet length could be any of a number of fields, depending on which length you want - the frame length on the wire is frame.len, and the length field from the IPv4 header is ip.len.

The TTL from the IPv4 header is ip.ttl.

2. What is the "-Tfields -e" command to get the normal text output but without the preceeding timestamp on every row? (witch tcpdump, you simply add -t to remove the time)

"-Tfields" is explicitly designed and intended *NOT* to give normal "-Ttext"-style output - it's intended to let you extract the values of specific fields in a form designed more for parsing by scripts - so there is no "-Tfields" option to do that.

I'm really missing the possibility to in a simple way add a little bit of verboseness (like tcpdump's -v option, with more details the more v's you add, and the -e option with additional link layer info). I don't want to switch to -V view just to compare the IP ID of packets, ttl values or see their length.

tcpdump's -v option is implemented by dissectors knowing what the setting of -v is and deciding, based on that, what information to print.

Wireshark's design is *VERY* different - dissectors are *NOT* told how verbose the output is to be; they are expected to supply a *complete* dissection of the packet, as there are many parts of Wireshark *other* than the display part that use the information from that dissection. TShark is, by design and intent, "command-line Wireshark", and inherits that model from Wireshark.

If the goal is to produce a configurable one-line summary, then there are a couple of options:

1) You could use the "-z proto,colinfo" tap to add field values to the end of the summary information column; see the TShark man page.

2) We could add a command-line option to configure the columns to be displayed - that would let you get rid of the time stamp column, and, in combination with the "custom columns" feature, that would let you add columns for fields such as packet lengths and the TTL.