Re: tshark "information" field filter

[Stephen Fisher <steve () stephen-fisher com>]

On Tue, Oct 19, 2010 at 01:35:00PM +0200, fajfusio () wp pl wrote:

> I would like to print the "information" field in tshark. The 
> information means the contents of the information column from 
> wireshark.

> I don't know what field name to use in tshark's -e option.

The info column will not work in -e as that is only for filterable 
fields (such as tcp.port).  You can specify the columns to use in tshark 
by overriding (-o) the preference file setting for column.format using 
the syntax taken from the preferences file:

        # Packet list column format.
        # Each pair of strings consists of a column title and its format.
        column.format: 
                "No.", "%m",
                "Time", "%t",
                "Source", "%s",
                "Destination", "%d",
                "Protocol", "%p",
                "Info", "%i"

For example, to only show the info column's contents in tshark:

        tshark -o column.format:"Info, %i"

The first word is the title of the column, which won't be shown in 
tshark anyway.  The % variables can be found in epan/column.c of the 
source code:

  http://anonsvn.wireshark.org/viewvc/trunk/epan/column.c?view=markup

And cross-referencing the descriptions in epan/column_info.h:

http://anonsvn.wireshark.org/viewvc/trunk/epan/column_info.h?view=markup

... we should probably make this easier as I could barely even remember 
how to do it :)
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe