Wireshark-users: Re: [Wireshark-users] how can I see all readdirplus file entries with -T fields?
On Thu, Jul 10, 2008 at 06:07:48PM -0700, Marc MERLIN wrote:
> I'm running:
> tshark -n -l port nfs -V -T fields -E header=y -E separator='|' -e rpc.xid -e nfs.procedure_v3 -e nfs.name -e nfs.readdirplus.entry.name -e nfs.fh.hash -e nfs.nfsstat3
>
> on a readdirplus call, I get:
> 0xef5be299|17|||0x98591a70|
> 0xef5be299|17||distributor|0x5c2e5b6a|0
>
> So great, I know that FH 0x5c2e5b6a is distributor in directory 0x98591a70,
> but this dropped all the other files returned by readdirplus.
That's because the -T fields -e <field> output currently only
shows the last occurance of <field> within the packet (if multiple
occurances of <field> are present). I thought there was a feature
request on http://bugs.wireshark.org to fix this, but I can't find
it at the moment.
What I would like to do is add the option to select whether the
output should show the first, the last or all occurances of <field>
(seperated by another seperator).
However, my time at the moment is limited :-(
> I know I could just parse the output of
> tshark -n -l port nfs -V -T pdml
> but this output is huge, and I was hoping I wouldn't have to.
>
> Is there a way out with -T fields, or will have to use -T pdml and dip my
> hands in xml?
There is... in the future. For now, you will have to stick to the
PDML output (or parse general -V output, which is smaller, but more
difficult to parse, but maybe grepping might help you out).
Cheers,
Sake