Version 3.0.6 -e data.data no colon separator
Hello everyone, i am working on extracting tcp packets from a pcap file. I've been using 2.2.6 version of wireshark and have always retrieved the packet data using -e data.data using tshark command.
To my surprise when i upgraded to 3.0.6 the packets are now not separated by colon.
Do i need to set something in wireshark for the colons to appear or to is there another command i need to add in my script?
i'm a 2 week old user and started in 2.2.6 your help is highly appreciated!
Comments
Can you show the full command you're using?
@grahamb, an example would be, using the capture file from Bug 15303:
With 2.6.6, you get:
With 3.0.6, you get:
If you look at frame 119 with a "-T" of ek, json or pdml, the data is available with ":" between bytes. Something changed with the "-e" option between versions.
$ tshark -r ./eth-fcs-status-bad-from-onboard-NIC.pcapng -Y frame.number==119 -T pdml | tail -10 <proto name="fake-field-wrapper"> <field name="data" value="00000000000000000000000000000000000000000000000000000000000000"> <field name="data.data" showname="Data: 000000000000000000000000000000000000000000000000\xe2\x80\xa6" size="31" pos="29" show="00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00" value="00000000000000000000000000000000000000000000000000000000000000"/> <field name="data.len" showname="Length: 31" size="0" pos="29" show="31"/> </field> </proto> </packet> </pdml> $