Hello,
Currently when you run with the following options:
tshark -i eth5 -T fields -e eth.dst -e eth.src -e eth.type -e data.data
You get the following output:
00:80:52:00:00:00 00:80:52:00:ff:ff 0x814f 00:00:00:00:01:12:00:00
I can see that the "data" being selected from the pdml field (see pdml dump
below) is the "show" data. But what I'd really like is the "value" data. This
would give me a clean output without the "0x" or ":"'s in the data. Like this:
008052000000 00805200ffff 814f 0000000001120000
Ideally it'd be nice if it was possible to select which of the formats of the
field were output. I've been trying to figure out where I need to make the
change to accomplish this but am having some difficulty. I know the output is
coming from proto_tree_write_fields in print.c. But I don't understand the
format of the tree that contains the data to retrieve.
Could someone point me in the right direction?
Much thanks,
Mike
Here is an example -T pdml dump a frame for reference:
<?xml version="1.0"?>
<pdml version="0" creator="wireshark/1.0.6">
<packet>
<proto name="eth" showname="Ethernet II, Src: 00:80:52:00:ff:ff
(00:80:52:00:ff:ff), Dst: 00:80:52:00:00:00 (00:80:52:00:00:00)" size="14"
pos="0">
<field name="eth.dst" showname="Destination: 00:80:52:00:00:00
(00:80:52:00:00:00)" size="6" pos="0" show="00:80:52:00:00:00"
value="008052000000">
<field name="eth.addr" showname="Address: 00:80:52:00:00:00
(00:80:52:00:00:00)" size="6" pos="0" show="00:80:52:00:00:00"
value="008052000000"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit:
Individual address (unicast)" size="3" pos="0" show="0" value="0"
unmaskedvalue="008052"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit:
Globally unique address (factory default)" size="3" pos="0" show="0" value="0"
unmaskedvalue="008052"/>
</field>
<field name="eth.src" showname="Source: 00:80:52:00:ff:ff
(00:80:52:00:ff:ff)" size="6" pos="6" show="00:80:52:00:ff:ff"
value="00805200ffff">
<field name="eth.addr" showname="Address: 00:80:52:00:ff:ff
(00:80:52:00:ff:ff)" size="6" pos="6" show="00:80:52:00:ff:ff"
value="00805200ffff"/>
<field name="eth.ig" showname=".... ...0 .... .... .... .... = IG bit:
Individual address (unicast)" size="3" pos="6" show="0" value="0"
unmaskedvalue="008052"/>
<field name="eth.lg" showname=".... ..0. .... .... .... .... = LG bit:
Globally unique address (factory default)" size="3" pos="6" show="0" value="0"
unmaskedvalue="008052"/>
</field>
<field name="eth.type" showname="Type: Unknown (0x814f)" size="2" pos="12"
show="0x814f" value="814f"/>
</proto>
<proto name="fake-field-wrapper">
<field name="data" value="0000000001120000"/>
<field name="data.data" showname="Data: 0000000001120000" size="8"
pos="14" show="00:00:00:00:01:12:00:00" value="0000000001120000"/>
</proto>
</packet>
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <[email protected]>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:[email protected]?subject=unsubscribe
