Hi,
I have 3 questions concerning tshark.
1) field aggregation
With -E occurrence='a' field values can be aggregated when a field
occurs multiple times.
Can this aggregation be configured per field or is it only possible to
do it globally for a fields?
2) dissector mapping
With <layer type>==<selector>,<decode-as protocol> it can be specified
which dissector to use.
It's a bit unclear what is meant by "selector".
I tried -d udp.port==100:200. tshark started fine but it looks like only
100 is used.
Does it only support single values or can port ranges also be used?
3) performance
Generating a CSV file printing some fields from a PCAP file is quite slow.
Are there options or ways to speed it up?
Regards,
Ren� Scheibe