Wireshark-users: Re: [Wireshark-users] Help needed controlling tshark output format
Great. The latter would work good for me. remember the header value. How
long do you think it would take to do this?, and how will I know when it's
available
Meanwhile, how did you do the delimiter in -o column format?
-w doen't have text output option that's why I use >
Any idea if point 3 below is possible.
From: "Rob MacKenzie" <rmackenzie@xxxxxxx>
Date: Mon, 2 Jun 2008 10:44:50 -0400
I know your problem. I am looking at providing a patch soon, but I
haven't decided to if I should modify the -o column.output or add
options for %i style info into -T feilds. Probably the latter.
In the mean-time, I just added a hardcoded delimiter to a custom version
of Tshark I compiled for the -o column.format method.
For the custom fields, check to make sure you are running at least 1.0.0
of Tshark, as it was recently added. Also, you should be using -T
fields, not -t text. Lastly, it might be easier to use -w for
outputting the -T fields to a file then using stout redirection
From Andrew Cuthbertson
1. I want to get data out in a delimited format to load into a
spreadsheet/database for custom reporting and analysis.
2. I would like to be able to get the data value and the decoded value.
eg tcp.port value is 80, decoded value is http
3. I would like to see if the packets are marked by a specified analysis
flag, eg tcp.analysis.retransmission
