Wireshark mailing list archives
答复: question, how to output specific fields in a complex packet using tshark command line
From: "damker" <damker () sina com>
Date: Tue, 13 Jul 2010 12:13:07 +0800
Thanks, the theory is ok, but something others happened. My OS is WIN7+ActivePerl 5.10, When using tshark.exe -T pdml -r "d:\temp\MCNew.cap" | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}" > d:\temp\mcnew.txt error reported: syntax error at -e line 1, near "$f:" Execution of -e aborted due to compilation errors. tshark: An error occurred while printing packets: Invalid argument. When using tshark.exe -T pdml -r "d:\temp\MCNew.cap" | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f,$1,";}}" > d:\temp\mcnew.txt result is: m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2046823431m3ua.protocol_data_opc1310708m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3825208323m3ua.protocol_data_opc1307719m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3288337409m3ua.protocol_data_opc1307817m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2449476613m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId752404340 there is no char “,”,any suggestion to solve this? 发件人: wireshark-users-bounces () wireshark org [mailto:wireshark-users-bounces () wireshark org] 代表 Martin Visser 发送时间: 2010年7月13日 8:03 收件人: Community support list for Wireshark 主题: Re: [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line Unfortunately each -e field only matches a single instance. You are better off parsing the PDML output, that outputs all of the fields by iterating through the field. I have created a perl one-liner that can do this:- tshark.exe -T pdml -r "MCNew.cap" | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\ foreach $f (@flist) {\ if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}' Output is: 1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323, 1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690, 1307721,2449476613,1307690,1307721,752404340, Note that it seems (with this protocol) that as there seems to be a variable number of same field and some are option (for instance the second opc/dpc set doesn't have a matching transactionId), I would include the field name in the output so: tshark.exe -T pdml -r "MCNew.cap" | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\ foreach $f (@flist) {\ if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}' m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431, m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323, m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409, m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613, m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340, Regards, Martin MartinVisser99 () gmail com 2010/7/12 damker <damker () sina com> 发件人: damker [mailto:damker () sina com] 发送时间: 2010年7月12日 16:26 收件人: 'Wireshark-users-request () wireshark org' 主题: help,how to output specific fields in a complex packet using tshark command line Help The attachment is a packet captured in the Mc interface, there are 8 SCTP and upper layers, I want to output all the m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId in every M3UA. If put the file in d:\temp\ and using the command line below: tshark -r d:\temp\MCNew.cap -T fields -E separator=, -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e h248.transactionId >d:\temp\h248.txt it output the last m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId,not all. how to write a correct command line to output all the fields I want? ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- question, how to output specific fields in a complex packet using tshark command line damker (Jul 12)
- Very strange SSH probe Michael Glenn (Jul 12)
- Re: Very strange SSH probe Martin Visser (Jul 12)
- Re: Very strange SSH probe Andrew Hood (Jul 12)
- Re: question, how to output specific fields in a complex packet using tshark command line Martin Visser (Jul 12)
- 答复: question, how to output specific fields in a complex packet using tshark command line damker (Jul 12)
- Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line Martin Visser (Jul 12)
- 答复: 答复: question, how to output specific fields in a complex packet using tshark command line damker (Jul 13)
- Re: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex packet using tshark command line Martin Visser (Jul 13)
- 答复: question, how to output specific fields in a complex packet using tshark command line damker (Jul 12)
- Very strange SSH probe Michael Glenn (Jul 12)