tshark print raw data with -T fields (for partial ssl records)

[Lee Mighdoll <lee () underneath ca>]

I'm printing a dozen fields or so from a trace with a limited snap length.
 Works great, but the thirteenth field is unfortunately not decoded from
partially captured packets.

Is there a way to print the raw data along with -T fields?  -x and -T
fields don't mix...  I suppose I could run tshark twice once with -x and
once with -T fields and correlate the output, but I'm hoping there's an
easier way.  I see some references on the web to an option for -e data, but
that doesn't print anything when I try it (on tshark 1.8.2).

Alternately, is there anyway to convince the ssl packet parser to emit the
fields that it has recognized from a partial record?  In particular, I'd
like to know that the header for ssl record type 23 (application data) has
been captured, even though tcpdump hasn't captured the entire contents of
the application data itself.

Cheers,
Lee

___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe