On Sat, 6 Sep 2008 Barry Constantine wrote:
> I am trying to us the ??T fields ?e? options to get the LS Age field out
> of OSPF LS Update packets (and dump to text file).
> The problem I am running into is that the LS Age field display filter
> is only an offset into the frame (i.e. frame[62:2] in this case).
> When I use this command:
> tshark -r ospf-pcap.pcap -T fields -e frame.number -e frame.time ?e frame[62:2]
-R "(ospf.msg == 4) "
> I get the LS Update packets, frame number, and frame time; but not the
LS Age Field (frame[62:2].
I think you won't get *LS Age Field*, because *frame[62:2]* isn't a field.
I've found a workaround with awk:
$ tshark -r OSPF_broadcast_adjacencies.cap -R "ospf.msg == 4 && (frame[62:2]
!=
00:00)" -V | awk '/^Frame/ { print $1, $2 }; /Arrival/ { print $3, $4,
$5, $6
}; /LS Age/ { print $1, $2, $3, $4}'
Frame 28
Jun 14, 2008 23:25:22.244550000
LS Age: 45 seconds
LS Age: 126 seconds
Frame 31
Jun 14, 2008 23:25:22.257439000
LS Age: 40 seconds
Frame 35
Jun 14, 2008 23:25:22.273503000
LS Age: 44 seconds
Frame 36
<snip>
BTW I've used this file:
http://packetlife.net/captures/4
OSPF_broadcast_adjacencies.cap
HTH
Joan