Wireshark · Wireshark-users: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex packet using tshark

Wireshark-users: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex

Date: Tue, 13 Jul 2010 17:35:06 +0800

Yes, it’s in Windows CMD, in CMD the syntax recommend to use double quote(“), or it will return error like that:

Can't find string terminator "'" anywhere before EOF at -e line 1.

Using that line in CMD:

tshark.exe -T pdml -r "MCNew.cap" | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print $f,':',$1,',';}}"

the result is the same you got before:

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,

but I thought that if the result is like that

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,

it will be more easily used by other program.

发件人: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] 代表 Martin Visser
发送时间: 2010年7月13日 14:28
收件人: Community support list for Wireshark
主题: Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line

I think you have a shell substitution problem. (I was doing this in Cygwin on Windows, which would be compatible with Linux/UNIX shells), but I am guess you are doing this in Windows CMD.

I noticed you changed my single quote (') to a double quote (") after perl -ane and at the end. Can you leave these as a single quote? Otherwise you might need to escape the characters that seemed to have gone missing so "$f:$1," becomes "$f\:$1\," (or something like that)

Sorry, but Windows CMD does some strange (hence why those in the know use Cygwin if they have to do this thing on Windows).

Alternately you can put everything in a self-contained Perl script, and not have to understand the Windows command shell idiosyncrasies.

Regards, Martin

MartinVisser99@xxxxxxxxx

On Tue, Jul 13, 2010 at 2:13 PM, damker <damker@xxxxxxxx> wrote:

Thanks, the theory is ok, but something others happened.

My OS is WIN7+ActivePerl 5.10,

When using

tshark.exe -T pdml -r "d:\temp\MCNew.cap" | perl -ane "@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId); foreach $f (@flist) { if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}" > d:\temp\mcnew.txt

error reported:

syntax error at -e line 1, near "$f:"

Execution of -e aborted due to compilation errors.

tshark: An error occurred while printing packets: Invalid argument.

When using

result is:

m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2046823431m3ua.protocol_data_opc1310708m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3825208323m3ua.protocol_data_opc1307719m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId3288337409m3ua.protocol_data_opc1307817m3ua.protocol_data_dpc1307721m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId2449476613m3ua.protocol_data_opc1307690m3ua.protocol_data_dpc1307721h248.transactionId752404340

there is no char “,”,any suggestion to solve this?

发件人: wireshark-users-bounces@xxxxxxxxxxxxx [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] 代表 Martin Visser
发送时间: 2010年7月13日 8:03
收件人: Community support list for Wireshark
主题: Re: [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line

Unfortunately each -e field only matches a single instance. You are better off parsing the PDML output, that outputs all of the fields by iterating through the field. I have created a perl one-liner that can do this:-

tshark.exe -T pdml -r "MCNew.cap" | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$1,";}}'

Output is:

1307690,1307721,2046823431,1310708,1307721,1307690,1307721,3825208323,
1307719,1307721,1307690,1307721,3288337409,1307817,1307721,1307690,
1307721,2449476613,1307690,1307721,752404340,

Note that it seems (with this protocol) that as there seems to be a variable number of same field and some are option (for instance the second opc/dpc set doesn't have a matching transactionId), I would include the field name in the output so:

tshark.exe -T pdml -r "MCNew.cap" | perl -ane '@flist=qw(m3ua.protocol_data_opc m3ua.protocol_data_dpc h248.transactionId);\
foreach $f (@flist) {\
if(/field name=\"$f\".*show=\"(.*?)\".*/){print "$f:$1,";}}'

m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2046823431,
m3ua.protocol_data_opc:1310708,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3825208323,
m3ua.protocol_data_opc:1307719,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:3288337409,
m3ua.protocol_data_opc:1307817,m3ua.protocol_data_dpc:1307721,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:2449476613,
m3ua.protocol_data_opc:1307690,m3ua.protocol_data_dpc:1307721,h248.transactionId:752404340,

Regards, Martin

MartinVisser99@xxxxxxxxx

2010/7/12 damker <damker@xxxxxxxx>

发件人: damker [mailto:damker@xxxxxxxx]
发送时间: 2010年7月12日 16:26
收件人: 'Wireshark-users-request@xxxxxxxxxxxxx'
主题: help,how to output specific fields in a complex packet using tshark command line

Help

The attachment is a packet captured in the Mc interface, there are 8 SCTP and upper layers, I want to output all the m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId in every M3UA.

If put the file in d:\temp\ and using the command line below:

tshark -r d:\temp\MCNew.cap -T fields -E separator=, -e m3ua.protocol_data_opc -e m3ua.protocol_data_dpc -e h248.transactionId >d:\temp\h248.txt

it output the last m3ua.protocol_data_opc, m3ua.protocol_data_dpc,h248.transactionId,not all. how to write a correct command line to output all the fields I want?

___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe

Follow-Ups:
- Re: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex packet using tshark command line
  - From: Martin Visser

References:
- [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line
  - From: damker
- Re: [Wireshark-users] question, how to output specific fields in a complex packet using tshark command line
  - From: Martin Visser
- [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line
  - From: damker
- Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line
  - From: Martin Visser

Prev by Date: Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line
Next by Date: [Wireshark-users] basic install question
Previous by thread: Re: [Wireshark-users] 答复: question, how to output specific fields in a complex packet using tshark command line
Next by thread: Re: [Wireshark-users] 答复: 答复: question, how to output specific fields in a complex packet using tshark command line
Index(es):
- Date
- Thread