Wireshark · Wireshark-users: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark comm

["damker" <damker@xxxxxxxx>]

Thanks, the theory  is ok, but something others happened.

My OS is WIN7+ActivePerl 5.10,

 

When using

tshark.exe  -T pdml -r "d:\temp\MCNew.cap"  | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}" > d:\temp\mcnew.txt

 

error reported:

syntax error at -e line 1, near "$f:"

Execution of -e aborted due to compilation errors.

tshark: An error occurred while printing packets: Invalid argument.

 

When using

tshark.exe  -T pdml -r "d:\temp\MCNew.cap"  | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f,$1,";}}" > d:\temp\mcnew.txt

 

result is:

m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2046823431m3ua.protocol_data_opc1310708m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3825208323m3ua.protocol_data_opc1307719m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3288337409m3ua.protocol_data_opc1307817m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2449476613m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId752404340

 

there is no char “,”,any suggestion to solve this?

 

 

发件人: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] 代表 Martin Visser
发送时间: 2010年7月13日 8:03
收件人: Community support list for Wireshark
主题: Re: [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line

 

Unfortunately each -e field only matches a single instance. You are better off parsing the PDML output, that outputs all of the fields by iterating through the field. I have created a perl one-liner that can do this:-

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'

Output is:

1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,

Note that it seems (with this protocol) that as there seems to be a variable number of same field and some are option (for instance the second opc/dpc set doesn't have a matching transactionId), I would include the field name in the output so:

tshark.exe  -T pdml -r "MCNew.cap"  | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
 if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,

Regards, Martin

MartinVisser99@xxxxxxxxx

2010/7/12 damker <damker@xxxxxxxx>

 

 

发件人: damker [mailto:damker@xxxxxxxx]
发送时间: 2010年7月12日 16:26
收件人: 'Wireshark-users-request@xxxxxxxxxxxxx'
主题: help,how to output specific fields in a complex packet using tshark command line

 

Help

The attachment is a packet captured in the Mc interface, there are 8 SCTP and upper layers, I want to output all the m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId in every M3UA.

If put the file in d:\temp\ and using the command line below:

 

tshark -r d:\temp\MCNew.cap -T fields -E separator=, -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e h248.transactionId >d:\temp\h248.txt

 

it output the last m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId,not all. how to write a correct command line to output all the fields I want?

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
            mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe