Package: tshark Version: 1.12.7+g7fc8978-1 Severity: normal Running "tshark -r" on some pcap file gives badly formatted output; while some columns have a sane width, others are simply wrong.
Here's a shortened output: | 8 66 03:14:31.106506 0.047926 192.168.72.206 -> 192.168.72.38 | 9 85 03:14:34.624295 3.565715 192.168.72.38 -> 192.168.72.61 | 10 95 03:14:34.626556 3.567976 192.168.72.61 -> 192.168.72.38 | 11 66 03:14:34.626576 3.567996 192.168.72.38 -> 192.168.72.61 This would look good so far ... but as soon as the number of bytes in a packet isn't 2 digits long, or we get more than 999 packets, the output gets unreadable: | 12 85 03:14:34.628704 3.570124 192.168.72.38 -> 192.168.72.61 | 18 4410 03:14:40.900369 9.841789 192.168.72.206 -> 192.168.72.38 |994 1514 03:14:42.639231 11.580651 192.168.72.206 -> 192.168.72.38 |995 78 03:14:42.639237 11.580657 192.168.72.38 -> 192.168.72.206 |996 1514 03:14:42.639240 11.580660 192.168.72.206 -> 192.168.72.38 |997 66 03:14:42.639247 11.580667 192.168.72.38 -> 192.168.72.206 |998 1514 03:14:42.639249 11.580669 192.168.72.206 -> 192.168.72.38 |999 1514 03:14:42.639252 11.580672 192.168.72.206 -> 192.168.72.38 |1000 2962 03:14:42.639255 11.580675 192.168.72.206 -> 192.168.72.38 |1001 78 03:14:42.639255 11.580675 192.168.72.38 -> 192.168.72.206 |1002 1514 03:14:42.639258 11.580678 192.168.72.206 -> 192.168.72.38 |1003 1514 03:14:42.639260 11.580680 192.168.72.206 -> 192.168.72.38 IMO the packet numbers should be formatted as %5d, and the number of bytes %4d or %5d. The IP addresses might make sense to be given as %-15s; for IPv4 this would be the maximum length, and IPv6 addresses' lengths are too widely variable (and can get too long) to reserve all space. I'm aware that I could pass my own format options as well; but the default output should already by useable. For comparision, here's "tcpdump -r": |03:14:40.900965 IP 192.168.72.206.59036 > 192.168.72.38.7798: Flags [.], |03:14:40.900972 IP 192.168.72.38.7798 > 192.168.72.206.59036: Flags [.], |03:14:40.900976 IP 192.168.72.206.59036 > 192.168.72.38.7798: Flags [.], |03:14:40.900982 IP 192.168.72.38.7798 > 192.168.72.206.59036: Flags [.], |03:14:40.901235 IP 192.168.72.206.59036 > 192.168.72.38.7798: Flags [.], |03:14:40.901243 IP 192.168.72.38.7798 > 192.168.72.206.59036: Flags [.], |03:14:40.901245 IP 192.168.72.206.59036 > 192.168.72.38.7798: Flags [.], (Yes, completely different output, yadda yadda yadda. That's why I want to use tshark and not tcpdump. But the output is much easier to navigate, as eg. the time is aligned.) Thanks for listening! -- System Information: Debian Release: stretch/sid APT prefers testing APT policy: (990, 'testing'), (500, 'unstable'), (500, 'stable'), (1, 'experimental') Architecture: amd64 (x86_64) Kernel: Linux 4.1.0-1-amd64 (SMP w/4 CPU cores) Locale: LANG=de_AT.UTF-8, LC_CTYPE=de_AT.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages tshark depends on: ii libc6 2.19-19 ii libglib2.0-0 2.44.1-1.1 ii libpcap0.8 1.7.4-1 ii libwireshark5 1.12.7+g7fc8978-1 ii libwiretap4 1.12.7+g7fc8978-1 ii libwsutil4 1.12.7+g7fc8978-1 ii wireshark-common 1.12.7+g7fc8978-1 ii zlib1g 1:1.2.8.dfsg-2+b1 tshark recommends no packages. tshark suggests no packages. -- no debconf information
