Wireshark-users: Re: [Wireshark-users] display udp data with tshark

From: Zoran Bošnjak <Zoran.Bosnjak@xxxxxxxxxxxxxxxxxx>
Date: Wed, 18 Mar 2009 08:57:18 +0100
I would like to explicitly enable "wanted" protocol.

The problem with disable all  (as you suggest) is that script will fail when some new protocols are added. It could potentialy  try to decode as new protocol... so I would need to constantly update a script as new protocols are added.

Any other idea?

Zoran

> -----Original Message-----
> From: wireshark-users-bounces@xxxxxxxxxxxxx 
> [mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wsgd
> Sent: Monday, March 16, 2009 10:32 PM
> To: Community support list for Wireshark
> Subject: Re: [Wireshark-users] display udp data with tshark
> 
> Disable all unwanted protocols ?
> 
> Olivier
> 
> Zoran Bošnjak a écrit :
> > How do I display udp data for all UDP frames (with tshark 
> or any other command line tool)?
> >
> > I have tryed this: 
> > $tshark -r myfile.pcap -T fields -e data
> >
> > ... but it only works for udp frames that don't decode udp 
> data as some other protocol.
> > Is there something like "-e udp.data"?
> > Or is there a way to say "decode all udp (or 
> udp.dstport==<port>) as raw udp", so that "-e data" will work?
> >
> > For example, I have 2 UDP frames below and "-e data" and I 
> am not able to extract udp data for the second frame:
> >
> >   1   0.000000 172.18.10.21 -> 172.18.10.255 UDP Source 
> port: 1105  Destination port: 51020
> >
> > 0000  ff ff ff ff ff ff 00 02 b3 ec b7 71 08 00 45 00   
> ...........q..E.
> > 0010  00 24 05 97 00 00 40 11 07 fa ac 12 0a 15 ac 12   
> .$....@.........
> > 0020  0a ff 04 51 c7 4c 00 10 52 99 00 02 00 02 00 00   
> ...Q.L..R.......
> > 0030  74 5a 00 00 00 00 00 00 00 00 00 00               tZ..........
> >
> >   2   0.085200  172.18.10.2 -> 224.0.0.2    HSRP Hello 
> (state Active)
> >
> > 0000  01 00 5e 00 00 02 00 00 0c 07 ac 01 08 00 45 c0   
> ..^...........E.
> > 0010  00 4e 00 00 00 00 01 11 22 c9 ac 12 0a 02 e0 00   
> .N......".......
> > 0020  00 02 07 c1 07 c1 00 3a 48 9a 00 00 10 03 0a 69   
> .......:H......i
> > 0030  01 00 00 00 00 00 00 00 00 00 ac 12 0a 01 04 1c   
> ................
> > 0040  01 00 00 00 ac 12 0a 02 00 00 00 00 40 2e af 40   
> ............@..@
> > 0050  aa bb 9b 32 08 a8 a8 e8 13 7e 8a 2a               ...2.....~.*
> >
> > Thanks for your answer.
> >
> > regards,
> > Zoran
> > 
> ______________________________________________________________
> _____________
> > Sent via:    Wireshark-users mailing list 
> <wireshark-users@xxxxxxxxxxxxx>
> > Archives:    http://www.wireshark.org/lists/wireshark-users
> > Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
> >              
> > mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
> >
> >
> >   
> 
> 
> --
> Wireshark Generic Dissector http://wsgd.free.fr
> 
> ______________________________________________________________
> _____________
> Sent via:    Wireshark-users mailing list 
> <wireshark-users@xxxxxxxxxxxxx>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>              
> mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
>