[Rick Gudmundson <rickg421@xxxxxxxxx>]

I too was just looking for this feature today. I thought that I stumbled upon it with "-O". However, that doesn't *only* print detailed information for the specific protocol. It also prints the summary lines for other protocols. Maybe that's a jumping off point?

Thanks,

Rick

On Tue, Aug 7, 2012 at 3:48 PM, Christopher Maynard <Christopher.Maynard@xxxxxxxxx> wrote:

Joerg Mayer <jmayer@...> writes:

> I'm looking for a way to access the payload of a protocol in tshark and
> haven't found one.

I was recently trying to do something similar for one of our older protocols
that nobody had yet written a dissector for, but I was unable to come up with a
solution.  For me, it would have been good enough if something like "-e
data.data[n:m]" or "-e frame[n:m]" worked, but unfortunately neither of them do.

I ended up having to write a basic enough dissector to get at least some of the
data of interest out of it quickly.

> What I'd like to use with the -e option is something like "<protocol>.payload"
> for protocols that have a payload that is not dissected via the protocol
dissector.
> This element could be a hidden field.
> The output could be either text, hex or raw(binary), depending on a -E
> parameter (or maybe a new option), see the -z follow feature.
>
> Is this already possible and I just missed it?

I am unaware of such a feature ... but maybe I missed it too.

> If not, does this feature sound reasonable?

Yes! +1

- Chris

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request@xxxxxxxxxxxxx?subject=unsubscribe

--
Rick