Wireshark-users: Re: [Wireshark-users] Can I see all protocol dissection through tshark?
From: "Beno, Tal" <Tal_Beno@xxxxxxx>
Date: Mon, 2 Mar 2009 07:42:04 -0600

I guess that it is just not meant to be written for the file. As I have mentioned I am totally a newbie.

I will try working my way with a Lua tap that will hopefully be able to get the whole protocol tree for each packet and perform my algorithm.

Hopefully this is the way it is meant to be done.

 

Tal

 


From: Beno, Tal
Sent: Monday, March 02, 2009 2:06 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: RE: Can I see all protocol dissection through tshark?

 

Actually after doing it exactly as you did I have understood that the problem is in the –w directive.

When using the standard output the tree is shown as you have mentioned.

If I use –w filename there is no protocol tree in the saved file.

 

Strange but as usual it must be something that I am doing wrong. Any idea what that might be please?

Tal

 


From: Beno, Tal
Sent: Monday, March 02, 2009 1:44 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: RE: RE: Can I see all protocol dissection through tshark?

 

Thanks Mr. Blok,

 

I was actually trying to do it this way, and just in case added now the –R option as you had it:

tshark -i 4 -w c:\_LAB\out.cap -R http.request –V

But I get in the output file only raw compressed HTTP data, and not the full tree. Do I need to configure something else in the environment to make it work?

 

Thanks,

Tal

 


From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Mon, 2 Mar 2009 12:20:00 +0100

Yes, you can use the "-V" command line option to see the complete dissection tree:

$ tshark -r client.cap -R http.request -c1 -V)

 


From: Beno, Tal
Sent: Monday, March 02, 2009 12:14 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: Can I see all protocol dissection through tshark?

 

Hi,

 

I am fairly new and am still learning the basics.

I am trying to use tshark for background only capturing and analysis (no display needed\wanted).

I am seeing in the captured stream only the pcap protocols such as TCP.

 

My need is to dissect the packets also for all the additional protocols as supported in the Wireshark UI (HTTP, FTP, TELNET …).

Is it possible through tshark (or any other non UI way)?

 

Thanks,

Tal