On Tue, Oct 19, 2010 at 01:35:00PM +0200, fajfusio@xxxxx wrote:
> I would like to print the "information" field in tshark. The
> information means the contents of the information column from
> wireshark.
> I don't know what field name to use in tshark's -e option.
The info column will not work in -e as that is only for filterable
fields (such as tcp.port). You can specify the columns to use in tshark
by overriding (-o) the preference file setting for column.format using
the syntax taken from the preferences file:
# Packet list column format.
# Each pair of strings consists of a column title and its format.
column.format:
"No.", "%m",
"Time", "%t",
"Source", "%s",
"Destination", "%d",
"Protocol", "%p",
"Info", "%i"
For example, to only show the info column's contents in tshark:
tshark -o column.format:"Info, %i"
The first word is the title of the column, which won't be shown in
tshark anyway. The % variables can be found in epan/column.c of the
source code:
http://anonsvn.wireshark.org/viewvc/trunk/epan/column.c?view=markup
And cross-referencing the descriptions in epan/column_info.h:
http://anonsvn.wireshark.org/viewvc/trunk/epan/column_info.h?view=markup
... we should probably make this easier as I could barely even remember
how to do it :)
