Add a way to access the bytes of FT_PROTOCOL / FT_NONE fields when possible
Summary
in #15136 (closed), @Lekensteyn said:
tshark always uses "1" for fields that do not contain a value (FT_NONE) to signify presence of these fields. For protocols (FT_PROTOCOL) it always prints the protocol name (or whatever label was assigned manually to the field). I too would like an option to force the bytes to be presented instead. Maybe a new "-E" option could be added to force these fields to be displayed as bytes. Or more generically, add a special notation to force extraction of the underlying buffer, for example: tshark -r some.pcap -Tfields -e 'bytes(raw_sip)'
Steps to reproduce
Extract the field of a FT_PROTOCOL (or FT_NONE), whether by printing from tshark, the Copy->Value context menu, adding as a custom column, etc.
What is the current bug behavior?
In most cases, "1" is used for FT_NONE and the tree representation is printed for FT_PROTOCOL. Both use check marks when added as column labels.
What is the expected correct behavior?
When filtering, there are ways (if we have an epan_dissect_t
) to access the tvb a protocol is built from. For FT_NONE, in certain cases a filter can be constructed by accessing the raw bytes of the frame, if we have it.