On Fri, Jun 10, 2011 at 10:13:04AM -0700, Barry Constantine wrote:
> Hope this is not a dumb question, but I was wondering if anyone could
> provide more insight into these two (2) new features of 1.6:
>
>
> * TShark can show a specific occurrence of a field when using '-T
> fields'.
>
> * Custom columns can show a specific occurrence of a field.
In Wireshark, you can add a new column of field type "custom" and then
specify a filter name for the field name such as "ip.addr" and then the
field occurence field can take different values as shown by the text
when you point the mouse cursor to the field: 0 = all (default), 1 =
first, 2 = second ..., -1 = last. So if in this example ip.addr shows
up multiple times in the same packet, "1" will show only the value only
from the first time it shows up in the dissection tree (middle pane).
Otherwise all of them will show up with (if I remember correctly) commas
in between. Tshark has something similar but I don't know the syntax
off the top of my head (check "tshark -h" probably).