Piping tshark to sed intermittently displays packet number in addition to filter.

retag add tags

I want to view just the ethernet address of the frame and then swap the ':' for '-' in the output. But the output seems to randomly display the frame number in addition to the MAC address. In the snip below you can see the frame number in the 4th frame and the 21st and 22nd. It seem to show up randomly. Is this a bug or something wrong with my syntax? The output without piping is fine, it's only when I pipe it into sed that thinks get wonky.

Note: dropping the '-l' from tshark only displays the frame number when piping to sed. That is also unexpected.

Here is my syntax:

tshark -i en10 -T fields -e eth.src -l | sed s/:/-/g

Does this:

72-81-eb-8e-6f-3a

4 72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

21 72-81-eb-8e-6f-3a

22 72-81-eb-8e-6f-3a

72-81-eb-e8-4c-28

72-81-eb-8e-6f-3a

colin

asked 2017-11-25 21:10:20 +0000

edit flag offensive 0 remove flag close merge delete

Comments

What version of tshark are you running? I recall a bug related to this that was fixed long ago. Perhaps you're using a very old version of tshark?

cmaynard (2017-11-25 23:25:19 +0000) edit

I can reproduce it with a recent build from the master branch. See analysis in my answer.

Guy Harris (2017-11-26 00:43:43 +0000) edit

add a comment see more comments

1 Answer

Sort by

oldest

newest

most voted

This is a bug in Wireshark. Please file a bug report on this at the Wireshark Bugzilla.

The number being printed is a count of packets captured. TShark won't print that if it's printing the packet information directly to a terminal, but it will do so if it hasn't been run with -q and it's not writing to a terminal.

Unfortunately, if it's writing to a pipe, it doesn't know whether the program at the end of the pipeline is writing to the terminal, so it can't suppress the packet count only in that case.

Equally unfortunately, there's no way to say "print packet information to the standard output but don't print the packet count"; -q will suppress the packet count and the packet information. The bug here is that you have no way to get packet information without packet counts if you're writing to a pipe. (And, in fact, -T fields should be sufficient to indicate that packet information should be sent to the standard output.)

Dropping -l means that packet information is buffered within the print routines in the C library, meaning that it won't be sent to the standard output until 4096 or so bytes of packet information have been written; it's not suppressed, it's just delayed, possibly for a long time. The packet counts are directly written to the standard error by TShark, so they show up.

19.9k

Guy Harris

answered 2017-11-25 23:12:40 +0000, updated 2017-11-25 23:24:48 +0000

edit flag offensive 0 remove flag delete link

Comments

Packet counts going to stderr, so these could be deferred to /dev/null before the pipe. This should do the trick:

tshark -i en10 -T fields -e eth.src -l 2>/dev/nul | sed s/:/-/g

Jaap (2017-11-26 10:19:50 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

Piping tshark to sed intermittently displays packet number in addition to filter. edit

Comments

1 Answer

Comments