Question
I want to parse the standard header outputs of tshark. Since the default doesn't work, I am using a custom field parser that does almost the same thing. What I am missing is the resolution of the name of the protocol. My command is:
https://stackoverflow.com/questions/18732219
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
Russiansudo tshark -b 256 -P -T fields -e frame.time_epoch -e ip.src -e ip.dst -e ip.proto -e ip.len -e col.Info -E separator=';' -b filesize:65535 -b files:10 -w tshark_tmp
This almost works, what I get is (this example is capturing two pings):
1378869929.862628000;192.168.78.252;192.168.78.53;1;84;Echo (ping) request id=0x0abe, seq=65/16640, ttl=64
1378869929.863188000;192.168.78.53;192.168.78.252;1;84;Echo (ping) reply id=0x0abe, seq=65/16640, ttl=64 (request in 1)
The same two pings look like this in the normal, no custom field tshark:
0.000000 192.168.78.252 -> 192.168.78.53 ICMP 98 Echo (ping) request id=0x0abe, seq=13/3328, ttl=64
0.000707 192.168.78.53 -> 192.168.78.252 ICMP 98 Echo (ping) reply id=0x0abe, seq=13/3328, ttl=64 (request in 1)
The main difference that I need to solve is in mine I get 84 for the protocol, whereas tshark prints ICMP 98. I could implement my own lookup table, but there is a large number of protocols and tshark already knows how to decode them, I just need to figure out how to get that in my parsing.
Solution
As of the 1.11.x and 1.12 versions of tshark, the field names are _ws.col.Protocol and _ws.col.Info, instead of col.Protocol and col.Info.
Example:
tshark -T fields -e _ws.col.Protocol -e _ws.col.Info
Source: col.Protocol missing from tshark 1.11.3 and 1.12.0-rc2
OTHER TIPS
-e col.Protocol
Like always happens, you work on a problem for days, post the question then find the answer.
