0

We are doing a packet capture from within our testing software using the command line:

tshark -V -i vlan2091 -R "bootp.hw.mac_addr contains "00:17:33:00:00:00""

The problem we have is one of the DHCP options is displayed in hex and cut short. Is there a way to stop it cutting the output off? Although hex is OK is there a way to get it to display in ASCII?

Option: (t=82,l=50) Agent Information Option Option: (82) Agent Information Option Length: 50 Value: 0130535443335F332D4E32354B2D31324D2D51312D535542... Agent Circuit ID: 535443335F332D4E32354B2D31324D2D51312D5355424142... End Option

MikeKulls
  • 336
  • 1
  • 2
  • 16

2 Answers2

1

You can try

tshark -i vlan2091 -R "bootp.hw.mac_addr contains '00:17:33:00:00:00'" -T fields -E bootp.option.agent_information_option.value

and

tshark -i vlan2091 -R "bootp.hw.mac_addr contains '00:17:33:00:00:00'" -T fields -E bootp.option.agent_information_option.agent_circuit_id.

Xavier Lucas
  • 13,095
  • 2
  • 44
  • 50
0

The bottom window of wireshark shows the entire packet in both hex and ASCII. You may have to drag its bar up to see the whole thing, or tou migyt have it hidden.

When you click a line in the decoded section, it should highlight the entire relevant part of the packet in the bottom window do you can see the full thing.

Grant
  • 17,859
  • 14
  • 72
  • 103
  • We are not using a GUI. We log into a redhat server via ssh and initiate a tshark capture. We solved the problem by ensuring the data is short enough to fit within the required no of characters. Not ideal but it works :-) – MikeKulls Mar 25 '15 at 00:53
  • @MikeKulls I usually save the capture and analyse it with the gui. Alternatively, you can remote capturing to use the gui in realtime from another machine. – Grant Mar 25 '15 at 01:29
  • Hi @Grant we are writing automated router tests so we can only use the text from the decoded shark dump. We could switch to use XML output or some other option but it is way too late to change now. – MikeKulls Mar 26 '15 at 04:29