Wireshark-users: Re: [Wireshark-users] Wireshark 1.6 and Fields
Date Index · Thread Index · Other Months · All Mailing Lists
Date Prev · Date Next · Thread Prev · Thread Next
From: Stephen Fisher <steve@xxxxxxxxxxxxxxxxxx>
Date: Fri, 10 Jun 2011 12:02:01 -0600
On Fri, Jun 10, 2011 at 10:13:04AM -0700, Barry Constantine wrote:

> Hope this is not a dumb question, but I was wondering if anyone could 
> provide more insight into these two (2) new features of 1.6:
> 
> 
> * TShark can show a specific occurrence of a field when using '-T 
> fields'.
> 
> * Custom columns can show a specific occurrence of a field.

In Wireshark, you can add a new column of field type "custom" and then 
specify a filter name for the field name such as "ip.addr" and then the 
field occurence field can take different values as shown by the text 
when you point the mouse cursor to the field: 0 = all (default), 1 = 
first, 2 = second ..., -1 = last.  So if in this example ip.addr shows 
up multiple times in the same packet, "1" will show only the value only 
from the first time it shows up in the dissection tree (middle pane).  
Otherwise all of them will show up with (if I remember correctly) commas 
in between.  Tshark has something similar but I don't know the syntax 
off the top of my head (check "tshark -h" probably).