Wireshark-users: Re: [Wireshark-users] Packet List Display

From: "Tony Fortunato" <2008@xxxxxxxxxxxxxxx>
Date: Wed, 21 May 2008 19:14:41 -0400
Hi  Sake,

I was fumbling around tshark and was getting close, but you did a far better
job than I did.  I was looking for the IP.id to correlate when I compare two
trace files.

I would prefer a way to do it in the GUI, but will do nicely.

Thanks
-------------------------------------------------------
Tony Fortunato, Sr Network Specialist 
The Technology Firm 
905 702-0108
www.thetechfirm.com
Getting things to work better - bit by bit- 
 


-----Original Message-----
From: Sake Blok [mailto:sake@xxxxxxxxxx] 
Sent: Wednesday, May 21, 2008 2:20 PM
To: 2008@xxxxxxxxxxxxxxx; Community support list for Wireshark
Subject: Re: [Wireshark-users] Packet List Display

On Wed, May 21, 2008 at 05:16:47PM +0200, Sake Blok wrote:
> On Wed, May 21, 2008 at 09:16:36AM -0400, Tony Fortunato wrote:
> > 
> > - I wanted to see (and ideally export) the Packet List with the IP 
> > info as the displayed protocol, even if Wireshark can decode the higher
protocols.
> 
> If I understand you correctly you want the Info column to display the 
> values as if IP was the last layer that was dissected by Wireshark?
> 
> I thought that would be possible to achieve by disabling all protocols 
> and then enabling only Ethenet and IP. But unfortunately the IP 
> dissector then just displays: "TCP (0x06)".

Hmmm... I looked at epan/dissectors/packet-ip.c and it shows that only
exceptions are put into the "Info Column". This makes sense as IP will never
be the last protocol, there will always be a protocol on top of it. If it
doesn't that protocol, it will just show "<name> (<proto-id>)".

> When I disable the HTTP dissector, the Info Column will indeed show 
> the TCP info like there was no upper layer present.
> 
> Do you want the IP dissector to behave in the same manner? 
> (ie showing IP details in the Info Column when the upper layer 
> protocol dissectors are disabled)

What info do you want exactly? I think you can use tshark to accomplish your
goal. Let's have a try..

$ tshark -r trees.cap -T fields -e frame.number -e frame.time_relative -e
ip.src -e ip.dst -e ip.len -e ip.id -e ip.ttl -e ip.proto  -e ip.checksum -E
header=y 
 frame.number    frame.time_relative     ip.src  ip.dst  ip.len  ip.id
ip.ttl  ip.proto        ip.checksum
 1       0.000000000     213.84.244.33   213.206.125.36  40      0xfed7  120
0x06    0xe78e
 2       0.037319000     213.206.99.118  213.206.125.35  128     0x2ed6  59
0x32    0xc43f
 3       1.018455000     213.206.125.36  213.84.244.33   136     0xa817  63
0x06    0x76ef
 4       1.231212000     213.84.244.33   213.206.125.36  40      0xfed8  120
0x06    0xe78d
 5       2.820017000     213.84.244.33   213.206.125.36  88      0xfed9  120
0x06    0xe75c
 6       2.854071000     213.206.125.36  213.84.244.33   40      0xa818  63
0x06    0x774e
 7       2.968476000     213.84.244.33   213.206.125.36  88      0xfeda  120
0x06    0xe75b
 8       2.969336000     213.206.125.36  213.84.244.33   40      0xa819  63
0x06    0x774d
 9       2.971973000     213.206.125.36  213.84.244.33   344     0xa81a  63
0x06    0x761c

Does something like that fit your needs?

Cheers,
    Sake