Wireshark-dev: Re: [Wireshark-dev] Automatic test for a dissector DLL
From: Douglas Wood <doug.wood@xxxxxxxx>
Date: Tue, 14 Dec 2010 06:29:57 -0500
The way I do this is to modify the printpdml code.  I had similar requirements to "flatten" the hierarchy to create something more amenable to statistical analysis.  Dealing with PDML output that reaches 10 gigabytes of XML, all in one XML document, requires writing incredibly weird XML processing code.  You certainly can't use DOM.  It also takes a huge amount of CPU time, just dealing with XML.

But, wireshark is organized to call the PDML print code with all the fields.  It is very easy to "flatten" the hierarchy and choose what to keep.  It is possible that the CSV print code is easier to modify and may do what you want with no modification.  Either that mode did not exist when I started working my own modifications, or I just was clueless about where to get flattened data.

Sent from my iPad

On Dec 14, 2010, at 4:46 AM, Jaap Keuter <jaap.keuter@xxxxxxxxx> wrote:

> Hi,
> 
> One way or the other you'll have to script it.
> Take the tshark -V output, pull it through awk/sed/perl/<your favorite
> tool> 
> to see where your protocol output starts (check lines starting at
> start-of-line
> for your protocol name) and go from there (until empty line).
> 
> Thanks,
> Jaap
> 
> On Tue, 14 Dec 2010 06:11:39 +0100, Andreas <AndreasSander1@xxxxxxx>
> wrote:
>> Am 13.12.2010 23:52, schrieb didier:
>>>> tshark -V -r sample_file.pcap
>>>> 
>>>> Unfortunately I get the whole tree. I failed to specify that only my
>>>> dissector's output is reported.
>>>> 
>>>> How can I limit the output to one protocol level. As an example the TCP
>>>> level would be great (without IP, Ethernet, Frame)?
>>> tshark -T pdml -r file.pcap
>>> and filter the xml output ?
>> 
>> Thanks. But this would also include all other protocols. But since I 
>> have to parse XML I have to "filter" anyway. So I need an XML libray to 
>> do this...
>> 
>> --
>> Andy
> 
> ___________________________________________________________________________
> Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-dev
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
>             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe