Wireshark-dev: Re: [Wireshark-dev] For TShark, provide a way to control the output format. E.g.
From: Chris Maynard <Chris.Maynard@xxxxxxxxx>
Date: Thu, 15 Sep 2011 13:39:43 +0000 (UTC)
Guy Harris <guy@...> writes:

> On Sep 13, 2011, at 4:05 PM, Yee Man Bergstrom wrote:
> 
> > From http://wiki.wireshark.org/WishList
> > For TShark, provide a way to control the output format. E.g., 'tshark -e "ip
udp tcp.port"' would expand
> the IP and UDP sections, and display the TCP port information.
> >  
> > This is already done in trunk as of revision 38990 unless I am missing
something.
> >  
> > You can perform the above scenario with
> > Ø  tshark –T fields –e ip –e udp –e tcp.port
> 
> Well, not exactly.  The wish list request was for "-T text" (which is the
default), not "-T fields". 
> Expanding the IP and UDP sections can be done in that format with -O, but
partially expanding the TCP
> section to show only the port can't be done that way.

But the -e option isn't valid without -T fields, so that implies that -T fields
was erroneously omitted in the wish list request, does it not?

Regardless, it's not currently possible to simultaneously specify -V -O
<protocol list> along with -T fields -e <field>.  The inclusion of -T fields -e
<field> overrides the -V -O <protocol list> options.