Wireshark mailing list archives
Re: tshark "information" field filter
From: Stephen Fisher <steve () stephen-fisher com>
Date: Tue, 19 Oct 2010 15:46:10 -0600
On Tue, Oct 19, 2010 at 01:35:00PM +0200, fajfusio () wp pl wrote:
I would like to print the "information" field in tshark. The information means the contents of the information column from wireshark.
I don't know what field name to use in tshark's -e option.
The info column will not work in -e as that is only for filterable fields (such as tcp.port). You can specify the columns to use in tshark by overriding (-o) the preference file setting for column.format using the syntax taken from the preferences file: # Packet list column format. # Each pair of strings consists of a column title and its format. column.format: "No.", "%m", "Time", "%t", "Source", "%s", "Destination", "%d", "Protocol", "%p", "Info", "%i" For example, to only show the info column's contents in tshark: tshark -o column.format:"Info, %i" The first word is the title of the column, which won't be shown in tshark anyway. The % variables can be found in epan/column.c of the source code: http://anonsvn.wireshark.org/viewvc/trunk/epan/column.c?view=markup And cross-referencing the descriptions in epan/column_info.h: http://anonsvn.wireshark.org/viewvc/trunk/epan/column_info.h?view=markup ... we should probably make this easier as I could barely even remember how to do it :) ___________________________________________________________________________ Sent via: Wireshark-users mailing list <wireshark-users () wireshark org> Archives: http://www.wireshark.org/lists/wireshark-users Unsubscribe: https://wireshark.org/mailman/options/wireshark-users mailto:wireshark-users-request () wireshark org?subject=unsubscribe
Current thread:
- tshark "information" field filter fajfusio (Oct 19)
- Re: tshark "information" field filter Stephen Fisher (Oct 19)