1

I'm generating XML-formatted output from a Wireshark dump using the following command:

tshark -r my_wireshark_data.pcap -T pdml > my_wireshark_data.xml

Looking at the XML file generated, I cannot figure out the meaning of the pos and size attributes, which appear everywhere. Can anyone explain, or provide a link to documentation?

Output snippet:

<pdml version="0" creator="wireshark/1.10.14" time="Mon Jun 20 15:27:45 2016" capture_file="my_wireshark_data.pcap">
<packet>
  <proto name="ip" ...>
    <field name="ip.version" showname="Version: 4" size="1" pos="14" show="4" value="45"/>
  </proto>
</pdml>

Also:

Why is value set to 45 instead of 4?

What is the difference between showname and show?

Improve this question

1 Answer 1

Reset to default
1

Can anyone explain, or provide a link to documentation?

Why is value set to 45 instead of 4.

  • value (45) is the actual packet data, in hex, that this field covers

  • show (4) is the representation of the packet data (value) as it would appear in a display filter.

What is the difference between showname and show?

  • showname is the label used to describe this field in the protocol tree.

    This is usually the descriptive name of the protocol, followed by some representation of the value.

  • show (4) is the representation of the packet data (value) as it would appear in a display filter. (in this case the version number)

The "<field>" tag

"<field>" tags can have the following attributes:

  • name - the display filter name for the field
  • showname - the label used to describe this field in the protocol tree. This is usually the descriptive name of the protocol, followed by some representation of the value.
  • pos - the starting offset within the packet data where this field starts
  • size - the number of octets in the packet data that this field covers.
  • value - the actual packet data, in hex, that this field covers
  • show - the representation of the packet data ('value') as it would appear in a display filter.

Some dissectors sometimes place text into the protocol tree, without using a field with a field-name. Those appear in PDML as "<field>" tags with no 'name' attribute, but with a 'show' attribute giving that text.

Source Protocol Dissection in XML Format

Improve this answer
3
  • you explained it perfectly, thank you. Cheers for the link.
    – atreyu
    Commented Jun 21, 2016 at 14:48
  • If value (45), which I understand is the actual packet data, is in hex, how does that relate to show value, in this case 4? 45 hex is 69 decimal, so I am missing something.
    – atreyu
    Commented Jun 21, 2016 at 14:59
  • As far as I can tell the value has also been called unmasked value in some other places. My guess is that the display filter extracts from or manipulates the value to turn it into show. I don't know the details of how or why this happens (I'm no Wireshark expert).
    – DavidPostill
    Commented Jun 21, 2016 at 15:18

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .