T-shark is a powerful command-line sibling of Wireshark, the packet capture tool.
At the basic verbosity level, you get one text row per packet, with just some basic information. Example:
tshark -n -i eth1
This yields:
1 0.000000000 ec:46:70:00:fc:ad → 01:1b:19:00:00:00 PTPv2 124 Announce Message
2 0.364764469 00:60:e9:2e:bd:f8 → 01:80:c2:00:00:0e PTPv2 68 Path_Delay_Req Message
3 0.364796580 00:0b:ab:45:b4:d0 → 01:80:c2:00:00:0e PTPv2 68 Path_Delay_Resp Message
4 0.364830284 00:0b:ab:45:b4:d0 → 01:80:c2:00:00:0e PTPv2 68 Path_Delay_Resp_Follow_Up Message
5 0.704678057 00:0b:ab:45:b4:d0 → 01:80:c2:00:00:0e PTPv2 68 Path_Delay_Req Message
6 0.720285509 00:60:e9:2e:bd:f8 → 01:80:c2:00:00:0e PTPv2 68 Path_Delay_Resp Message
7 0.729102466 00:60:e9:2e:bd:f8 → 01:80:c2:00:00:0e PTPv2 68 Path_Delay_Resp_Follow_Up Message
8 0.757962110 ec:46:70:00:fc:ad → 01:1b:19:00:00:00 PTPv2 60 Sync Message
9 0.767993002 ec:46:70:00:fc:ad → 01:1b:19:00:00:00 PTPv2 60 Follow_Up Message
10 1.000119946 ec:46:70:00:fc:ad → 01:1b:19:00:00:00 PTPv2 124 Announce Message
If you call tshark with the -V argument, it gets verbose = dissects the contents of the packets. E.g. for PTP, I get maybe two pages of dissected listing per packet. A short snippet for example:
Precision Time Protocol (IEEE1588)
0000 .... = transportSpecific: 0x0
...0 .... = 802.1as conform: False
.... 1011 = messageId: Announce Message (0xb)
.... 0010 = versionPTP: 2
messageLength: 110
subdomainNumber: 0
flags: 0x003c
0... .... .... .... = PTP_SECURITY: False
.0.. .... .... .... = PTP profile Specific 2: False
..0. .... .... .... = PTP profile Specific 1: False
.... .0.. .... .... = PTP_UNICAST: False
.... ..0. .... .... = PTP_TWO_STEP: False
...etc. The verbose dump really is a wallpaper.
You can also select individual fields to print, using the -T and -e arguments. Example:
tshark -i eth1 -T fields -e ptp.v2.messageid -e ptp.v2.sequenceid -e ptp.v2.correction.ns
This can yield:
2 2087 0
3 2087 0
10 2087 0
0 14206 13255
8 14206 0
Note that the messageId field, the first column above, is printed numeric (and decimal). Note that this particular field encodes "message type". E.g., 0xB encodes the Announce Message. Wireshark/T-shark know how to interpret it, and give you a textual description in the expanded Verbose output. Also, in the default compact output (one row per packet), you get that messageId interpreted too. The GUI-flavoured Wireshark has a column in the grid, called Info, which contains this textual interpretation of the message type.
Just... how do I ask for this textual interpretation of the ptp.v2.messageid, when using a custom "fields" output using -T and -e ? Either the interpretation corresponding to the ptp.v2.messageid field specifically, or the derived "Info" field. Is there any way?
I'm using my specific examples, but the question is possibly broader = how to ask tshark for a textual interpretation of a specific field using -T / -e.
0 Answers