tshark outputting all fields?

gak picture gak · Mar 6, 2013 · Viewed 18k times · Source

Is it possible to get tshark output every field (within the packet) using the -T fields option, or similar?

e.g. For every field in the packet/reconstruction, I would like something like this:

eth.src:f2:3c:91:96:fd:09,ip.src:1.2.3.4,tcp.dst_port:80,http.request.uri:/index.html

(The comma could be replaced with a \xff to make parsing better when values contain commas.)

I realise there is the -e option but it seems that I would have to put in every single possible field in the command line. On top of that, only a small fraction of fields will be used in each packet, which makes for a lot of data to parse.

I currently plan to use the tshark -V option and parse that, but ideally I would like more machine style terms such as http.request.uri instead of "human readable" e.g.:

Hypertext Transfer Protocol
    GET /main.php HTTP/1.1\r\n
        [Expert Info (Chat/Sequence): GET /main.php HTTP/1.1\r\n]
            [Message: GET /main.php HTTP/1.1\r\n]
            [Severity level: Chat]
            [Group: Sequence]
        Request Method: GET
        Request URI: /main.php

Answer

gak picture gak · Mar 6, 2013

Just stumbled across:

tshark -T pdml

which is exactly what I need:

<packet>
  <proto name="geninfo" pos="0" showname="General information" size="173">
    <field name="num" pos="0" show="323" showname="Number" value="143" size="173"/>
    <field name="len" pos="0" show="173" showname="Frame Length" value="ad" size="173"/>
    <field name="caplen" pos="0" show="173" showname="Captured Length" value="ad" size="173"/>
    <field name="timestamp" pos="0" show="Aug  7, 2011 16:16:13.579504000 EST" showname="Captured Time" value="1312697773.579504000" size="173"/>
  </proto>
  <proto name="frame" showname="Frame 323: 173 bytes on wire (1384 bits), 173 bytes captured (1384 bits)" size="173" pos="0">
    <field name="frame.time" showname="Arrival Time: Aug  7, 2011 16:16:13.579504000 EST" size="0" pos="0" show="Aug  7, 2011 16:16:13.579504000"/>
    ... etc.

It includes the Wireshark filter name, as well as all the fields that are included in the packet.

Update: This is quite slow, and hacking up tshark.c so -V prints out the abbrev instead of the name in the header_field_info *hfinfo; does the trick too. I should probably contribute this an a option when I get the chance.