Wireshark mailing list archives

Re: How to access the payload of a protocol in tshark

From: Rick Gudmundson <rickg421 () gmail com>
Date: Tue, 7 Aug 2012 16:18:51 -0500

I too was just looking for this feature today. I thought that I stumbled
upon it with "-O". However, that doesn't *only* print detailed information
for the specific protocol. It also prints the summary lines for other
protocols. Maybe that's a jumping off point?

Thanks,
Rick

On Tue, Aug 7, 2012 at 3:48 PM, Christopher Maynard <
Christopher.Maynard () gtech com> wrote:

Joerg Mayer <jmayer@...> writes:

I'm looking for a way to access the payload of a protocol in tshark and
haven't found one.


I was recently trying to do something similar for one of our older
protocols
that nobody had yet written a dissector for, but I was unable to come up
with a
solution.  For me, it would have been good enough if something like "-e
data.data[n:m]" or "-e frame[n:m]" worked, but unfortunately neither of
them do.

I ended up having to write a basic enough dissector to get at least some
of the
data of interest out of it quickly.

What I'd like to use with the -e option is something like

"<protocol>.payload"

for protocols that have a payload that is not dissected via the protocol

dissector.

This element could be a hidden field.
The output could be either text, hex or raw(binary), depending on a -E
parameter (or maybe a new option), see the -z follow feature.

Is this already possible and I just missed it?


I am unaware of such a feature ... but maybe I missed it too.

If not, does this feature sound reasonable?


Yes! +1

- Chris


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org
?subject=unsubscribe




-- 
Rick

___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe

Current thread:

How to access the payload of a protocol in tshark Joerg Mayer (Aug 07)
- Re: How to access the payload of a protocol in tshark Christopher Maynard (Aug 07)
  - Re: How to access the payload of a protocol in tshark Rick Gudmundson (Aug 08)