["Beno, Tal" <Tal_Beno@xxxxxxx>]

Hi Sake,

 

I wanted to use Lua as I need to manipulate the tree data and I thought that I can get it (the protocol tree) in a programmatic way through the Lua SDK. Well at least I hope that I can.

Otherwise once I understood earlier today that the “w” directive is not meant for non pcap format, I am already using it with the redirection operator :)

 

And your site will surely help a lot. This is great.

Thanks!

Tal

---

 

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Mon, 2 Mar 2009 15:47:19 +0100

Hi Tal,

 

The -w option is used to write the data in libpcap format to file so that it can be read by tshark, wireshark or any other program that supports the libpcap format. If the output of -V is indeed the output that you are looking for, there is no need to use Lua, you can just redirect the output to a file with the ">" operator, like: "tshark -i 4 -R http.request ?V > out.txt".

 

However, if there are things that need custom dissection, you might want to use Lua. If you are just interested in specific fields, you could use the option "-T fields -e <fieldname> -e <fieldname> ...".

 

If you want some guidance on how to use the CLI tools that come with Wireshark, I have made some online presentations which can be found at http://www.lovemytool.com/blog/sake_blok.html (start at the bottom and work your way up to have them in logical/chronological order :-)).

 

Hope this helps,

Cheers,

    Sake

---

From: Beno, Tal
Sent: Monday, March 02, 2009 3:42 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: RE: Can I see all protocol dissection through tshark?

 

I guess that it is just not meant to be written for the file. As I have mentioned I am totally a newbie.

I will try working my way with a Lua tap that will hopefully be able to get the whole protocol tree for each packet and perform my algorithm.

Hopefully this is the way it is meant to be done.

 

Tal

 

---

From: Beno, Tal
Sent: Monday, March 02, 2009 2:06 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: RE: Can I see all protocol dissection through tshark?

 

Actually after doing it exactly as you did I have understood that the problem is in the –w directive.

When using the standard output the tree is shown as you have mentioned.

If I use –w filename there is no protocol tree in the saved file.

 

Strange but as usual it must be something that I am doing wrong. Any idea what that might be please?

Tal

 

---

From: Beno, Tal
Sent: Monday, March 02, 2009 1:44 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: RE: RE: Can I see all protocol dissection through tshark?

 

Thanks Mr. Blok,

 

I was actually trying to do it this way, and just in case added now the –R option as you had it:

tshark -i 4 -w c:\_LAB\out.cap -R http.request –V

But I get in the output file only raw compressed HTTP data, and not the full tree. Do I need to configure something else in the environment to make it work?

 

Thanks,

Tal

 

---

From: "Sake Blok" <sake@xxxxxxxxxx>
Date: Mon, 2 Mar 2009 12:20:00 +0100

Yes, you can use the "-V" command line option to see the complete dissection tree:

$ tshark -r client.cap -R http.request -c1 -V)

 

…

---

From: Beno, Tal
Sent: Monday, March 02, 2009 12:14 PM
To: 'wireshark-users@xxxxxxxxxxxxx'
Subject: Can I see all protocol dissection through tshark?

 

Hi,

 

I am fairly new and am still learning the basics.

I am trying to use tshark for background only capturing and analysis (no display needed\wanted).

I am seeing in the captured stream only the pcap protocols such as TCP.

 

My need is to dissect the packets also for all the additional protocols as supported in the Wireshark UI (HTTP, FTP, TELNET …).

Is it possible through tshark (or any other non UI way)?

 

Thanks,

Tal