Wireshark-users: Re: [Wireshark-users] how can I see all readdirplus file entries with -T fields?

From: Marc MERLIN <marc_ws@xxxxxxxxxxx>
Date: Thu, 10 Jul 2008 23:20:36 -0700
On Fri, Jul 11, 2008 at 07:49:02AM +0200, Sake Blok wrote:
> > So great, I know that FH 0x5c2e5b6a is distributor in directory 0x98591a70,
> > but this dropped all the other files returned by readdirplus.
> 
> That's because the -T fields -e <field> output currently only
> shows the last occurance of <field> within the packet (if multiple
> occurances of <field> are present). I thought there was a feature
> request on http://bugs.wireshark.org to fix this, but I can't find
> it at the moment.
> 
> What I would like to do is add the option to select whether the
> output should show the first, the last or all occurances of <field>
> (seperated by another seperator).
 
Cool, indeed all of them was what I was looking for here :)
 
> However, my time at the moment is limited :-(

Understood, thanks for confirming where things stand for now.

> > I know I could just parse the output of
> > tshark -n -l port nfs -V -T pdml
> > but this output is huge, and I was hoping I wouldn't have to.
> > 
> > Is there a way out with -T fields, or will have to use -T pdml and dip my
> > hands in xml?
> 
> There is... in the future. For now, you will have to stick to the
> PDML output (or parse general -V output, which is smaller, but more
> difficult to parse, but maybe grepping might help you out).

Right. I haven't quite decided which one is the least worse to parse yet :)

Thanks,
Marc
-- 
"A mouse is a device used to point at the xterm you want to type in" - A.S.R.
Microsoft is to operating systems & security ....
                                      .... what McDonalds is to gourmet cooking
Home page: http://marc.merlins.org/