Wireshark-users: Re: [Wireshark-users] customizing tshark -Ttext output

From: Elof Ofel <elofu17@xxxxxxxxxxx>
Date: Sun, 18 May 2008 14:30:35 +0200
>> 1. Where do I find a reference of the most useful field keywords to use? (for the -e option) Like
>> the timestamp, the one-line-summary-info, packet length,
TTL-values, etc?
> There isn't one. There's a list of *all* fields, but that's huge (210037 lines, if I do "man wireshark-filter | col -b | wc -l").

Yeah, I found the complete list, but as you say, it was overwhelming.
I understand it is a boring job to create a heavily reduzed version of this reference list, but if people is really to use the -e option, I think such list is needed. :-)


> 2) We could add a command-line option to configure the columns to be
> displayed - that would let you get rid of the time stamp column, and, in
> combination with the "custom columns" feature, that would let you add
> columns for fields such as packet lengths and the TTL.

That would be just great!

What I want to do is to replace tcpdump (and in the future ngrep) with tshark for all my network analysis on remote sensors (in realtime via ssh, so no wireshark GUI).
Currently i use tshark to find the traffic I'm looking for since I much prefer the one-line-summary of tshark over the output from tcpdump. But then I have to switch to tcpdump for two reasons:
* generate text small enough to fit in an email (need possibility to remove info from the output)
* network problem analysis is hard to do in -Ttext mode since some info is missing (need possibility to add info to the output) (working in -V mode is out of the question when looking at thousands of packets)

If you could add the possibility to do the same as tcpdump's -v, -t and -e options that would be great. Maybe there could be a couple of default "field profiles" to choose from? ...with the possibility to remove or add additional columns.


Generate text small enough to fit in an email
---------------------------------------------
When a problem or some interesting traffic is found, I want to present this in text form so it can easily be copied into an email or ticketing system.
Unfortunetly, tshark don't produce output as I'd like to, so I have to use tcpdump instead.

I use 'tcpdump -t' (remove the timestamp) to get shorter lines of text (that fit into the email to the customer). I use this option so frequently that I think tshark should have it as a standalone option as well, like '-t n' as in "none".

Naturally, the first column with the frame counter should also be easily supressed.

(I know all this can be done with a simple pipe to 'cut', but I think tshark should be able to supress the output itself without the need of post-processing)


Network problem analysis with tshark
------------------------------------
I often need to see the mac address, so some way of easily adding the mac addresses to the view would be nice. (see 'tcpdump -e')

Sometimes the packet received on eth0 is tagged somehow (vlan, mpls, pppoe, etc), and not a plain ordinary ethernet frame.
This is vital information that need to be visible to the user (see 'tcpdump -e').

When looking for errors etc, some additional information is needed, like frame length, ip-id and ttl-values.

If you could also include 'cumulative bytes', that would be great.

...and an option to append the port number to the IP addresses

...and in this verbose mode also show what transport protocol is used (usually tcp/udp/icmp)



Suggested solutions:
1.
Add the option '-t n' as in "none"

2.
-C do not show the first column with the frame number

3.
Use multiple -V's for verboseness:
<none> = normal one-line-summary text output
-V = view the full decoded packet (as normal)
-VV = one-line-summary list but with some additional information on each line
Normally I do *not* need the heavy duty verboseness of tcpdump -ev, like correct checksums, correct tcp sequence numbers, window scaling, internal packet timestamps, fragmentation offsets, etc. This kind of verboseness would be nice to have if you add yet an additional 'V':
-VVV = show the default one-line-summary list but with lots of additional information on each line


Oh, and speaking of improvements:
When I use the option -c5, I expect to get exactly 5 packets. Currently I can get more than a screenful. This is just confusing. :-)



That covers the basic functions that today make me use tcpdump instead of tshark.



Senaste kändisnyheterna & hetaste skvallret! MSN Kändisnytt