| Main Archive Page > Month Archives > wireshark-users archives |
Re: [Wireshark-users] tshark "information" field filter
From: Stephen Fisher <steve_at_nospam>Date: Tue Oct 19 2010 - 21:46:10 GMT
To: Community support list for Wireshark <wireshark-users@wireshark.org>
On Tue, Oct 19, 2010 at 01:35:00PM +0200, fajfusio@wp.pl wrote:
> I would like to print the "information" field in tshark. The
> information means the contents of the information column from
> wireshark.
> I don't know what field name to use in tshark's -e option.
The info column will not work in -e as that is only for filterable
fields (such as tcp.port). You can specify the columns to use in tshark
by overriding (-o) the preference file setting for column.format using
the syntax taken from the preferences file:
# Packet list column format.
# Each pair of strings consists of a column title and its format.
column.format:
"No.", "%m",
"Time", "%t",
"Source", "%s",
"Destination", "%d",
"Protocol", "%p",
"Info", "%i"
For example, to only show the info column's contents in tshark:
tshark -o column.format:"Info, %i"
The first word is the title of the column, which won't be shown in
tshark anyway. The % variables can be found in epan/column.c of the
source code:
http://anonsvn.wireshark.org/viewvc/trunk/epan/column.c?view=markup
And cross-referencing the descriptions in epan/column_info.h:
http://anonsvn.wireshark.org/viewvc/trunk/epan/column_info.h?view=markup
... we should probably make this easier as I could barely even remember
how to do it :)
___________________________________________________________________________
Sent via: Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives: http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@wireshark.org?subject=unsubscribe