Wireshark · Wireshark-users: Re: [Wireshark-users] display udp data with tshark

Wireshark-users: Re: [Wireshark-users] display udp data with tshark

From: wsgd <wsgd@xxxxxxx>

Date: Thu, 19 Mar 2009 20:59:44 +0100

Zoran Boï¿½njak a ï¿½crit :

I would like to explicitly enable "wanted" protocol.

The problem with disable all  (as you suggest) is that script will fail when some new protocols are added. It could potentialy  try to decode as new protocol... so I would need to constantly update a script as new protocols are added.

You must update only if you upgrade your wireshark.
Seems not constantly for me.

Any other idea?

No !

Zoran
-----Original Message-----
From: wireshark-users-bounces@xxxxxxxxxxxxx[mailto:wireshark-users-bounces@xxxxxxxxxxxxx] On Behalf Of wsgd
Sent: Monday, March 16, 2009 10:32 PM
To: Community support list for Wireshark
Subject: Re: [Wireshark-users] display udp data with tshark

Disable all unwanted protocols ?

Olivier

Zoran Boï¿½njak a ï¿½crit :
How do I display udp data for all UDP frames (with tshark
or any other command line tool)?
I have tryed this:$tshark -r myfile.pcap -T fields -e data
... but it only works for udp frames that don't decode udp
data as some other protocol.
Is there something like "-e udp.data"?
Or is there a way to say "decode all udp (or
udp.dstport==<port>) as raw udp", so that "-e data" will work?
For example, I have 2 UDP frames below and "-e data" and I
am not able to extract udp data for the second frame:
1 0.000000 172.18.10.21 -> 172.18.10.255 UDP Source
port: 1105  Destination port: 51020
0000 ff ff ff ff ff ff 00 02 b3 ec b7 71 08 00 45 00
...........q..E.
0010 00 24 05 97 00 00 40 11 07 fa ac 12 0a 15 ac 12
.$....@.........
0020 0a ff 04 51 c7 4c 00 10 52 99 00 02 00 02 00 00
...Q.L..R.......
0030  74 5a 00 00 00 00 00 00 00 00 00 00               tZ..........
2 0.085200 172.18.10.2 -> 224.0.0.2 HSRP Hello
(state Active)
0000 01 00 5e 00 00 02 00 00 0c 07 ac 01 08 00 45 c0
..^...........E.
0010 00 4e 00 00 00 00 01 11 22 c9 ac 12 0a 02 e0 00
.N......".......
0020 00 02 07 c1 07 c1 00 3a 48 9a 00 00 10 03 0a 69
.......:H......i
0030 01 00 00 00 00 00 00 00 00 00 ac 12 0a 01 04 1c
................
0040 01 00 00 00 ac 12 0a 02 00 00 00 00 40 2e af 40
............@..@
0050  aa bb 9b 32 08 a8 a8 e8 13 7e 8a 2a               ...2.....~.*

Thanks for your answer.

regards,
Zoran
______________________________________________________________
_____________
Sent via: Wireshark-users mailing list
<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
--
Wireshark Generic Dissector http://wsgd.free.fr

______________________________________________________________
_____________
Sent via: Wireshark-users mailing list<wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe
___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@xxxxxxxxxxxxx>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@xxxxxxxxxxxxx?subject=unsubscribe



--
Wireshark Generic Dissector http://wsgd.free.fr

References:
- Re: [Wireshark-users] display udp data with tshark
  - From: Zoran Bošnjak

Prev by Date: Re: [Wireshark-users] Capturing stops although there is still network traffic
Next by Date: [Wireshark-users] tethereal get MAC address
Previous by thread: Re: [Wireshark-users] display udp data with tshark
Next by thread: [Wireshark-users] Where is hex2pcap
Index(es):
- Date
- Thread