Hi Sean,
You can use the option -O
$ tshark -h
-O protocols: Only show packet details of these protocols, comma separated
$ tshark -r Clmt_04.pcap -O http -V > clmt_04a.txt
$ tshark -r Clmt_04.pcap -O tcp,http -V > clmt_04b.txt
BTW
I'm running TShark 1.6.5
Best regards
Joke
On Tue, 7 Feb 2012 12:45:49 -0500 sean wrote:
>Hi,
>I'm using tshark to convert .pcap to .txt format using the -r option and
>redirecting the output to a file. eg. tshark -r file.pcap -V>file.txt
>The problem is that the size of the txt file is about 30x larger than the
>pcap since I'm using the -V(erbose) option. I'm wondering if there is a
way
>to strip off some of the protocol headers that I'm not interested in. e.g.
>I want to strip off the 'Frame', 'Ethernet' and 'IP' protocol layers before
>redirecting the output to a txt. Is that possible? Another idea is to
>selectively expand (Verbose) only the protocols i'm interested in. Is any
>of this possible. If yes, i'd appreciate some advice. Thanks a lot.
>Sean.