I have created a modified version of Wireshark in which I produce tab
delimited files that actually aggregates multiple instances of particular
fields. In fact, the output can become way too voluminous, but, it is much
faster to process these tab delimited files than the PDML output.
Especially when there are 100,000's of packets.
I will attest that the aggregation of multiple instances of a field is
pretty tricky. I wouldn't mind working with somebody else to try to
generalize what I have done.
Doug
Peter Gordon wrote:
> tshark can be used to display fields using the -T option.
> If the same field occurs a number of times within a protocol,
> only one value ( the last ) gets displayed.
>
> As far as I can see the error looks like it comes from the
> routine proto_tree_write_fields.
>
> The -T pdml option gives the correct output, but is too voluminous.
>
> Can anyone help with a fix?
There's at least one bug for that:
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=3818
It was discussed quite a bit at Sharkfest this year too--there seemed to
be quite a bit of interest in finding a way to fix it. (But: as
evidenced by the fact that there is so much interest and it hasn't been
done yet, it's non-trivial to implement.)
___________________________________________________________________________
Sent via: Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe