Elof Ofel wrote:
I would like to customize the output of my tshark a bit...
"-Ttext" means "display what would show up in the packet list" if you
don't use "-V", and "display what would show up in the packet details
window for each packet" if you do use "-V" - i.e., it's the equivalent
of exporting to a text file in Wireshark - so its customizability is
limited.
1. Where do I find a reference of the most useful field keywords to use?
(for the -e option)
Like the timestamp, the one-line-summary-info, packet length,
TTL-values, etc?
There isn't one. There's a list of *all* fields, but that's huge
(210037 lines, if I do "man wireshark-filter | col -b | wc -l").
The packet arrival time stamp, as an absolute time, is frame.time.
The one-line-summary info isn't any filterable field.
The packet length could be any of a number of fields, depending on which
length you want - the frame length on the wire is frame.len, and the
length field from the IPv4 header is ip.len.
The TTL from the IPv4 header is ip.ttl.
2. What is the "-Tfields -e" command to get the normal text output but
without the preceeding timestamp on every row? (witch tcpdump, you
simply add -t to remove the time)
"-Tfields" is explicitly designed and intended *NOT* to give normal
"-Ttext"-style output - it's intended to let you extract the values of
specific fields in a form designed more for parsing by scripts - so
there is no "-Tfields" option to do that.
I'm really missing the possibility to in a simple way add a little bit
of verboseness (like tcpdump's -v option, with more details the more v's
you add, and the -e option with additional link layer info). I don't
want to switch to -V view just to compare the IP ID of packets, ttl
values or see their length.
tcpdump's -v option is implemented by dissectors knowing what the
setting of -v is and deciding, based on that, what information to print.
Wireshark's design is *VERY* different - dissectors are *NOT* told how
verbose the output is to be; they are expected to supply a *complete*
dissection of the packet, as there are many parts of Wireshark *other*
than the display part that use the information from that dissection.
TShark is, by design and intent, "command-line Wireshark", and inherits
that model from Wireshark.
If the goal is to produce a configurable one-line summary, then there
are a couple of options:
1) You could use the "-z proto,colinfo" tap to add field values to the
end of the summary information column; see the TShark man page.
2) We could add a command-line option to configure the columns to be
displayed - that would let you get rid of the time stamp column, and, in
combination with the "custom columns" feature, that would let you add
columns for fields such as packet lengths and the TTL.
