Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] tshark options

From: René Scheibe <rene.scheibe@xxxxxxxxxxxxxx>
Date: Thu, 07 Jun 2012 20:14:52 +0200
Hi,

I have 3 questions concerning tshark.

1) field aggregation
With -E occurrence='a' field values can be aggregated when a field
occurs multiple times.

Can this aggregation be configured per field or is it only possible to
do it globally for a fields?

2) dissector mapping
With <layer type>==<selector>,<decode-as protocol> it can be specified
which dissector to use.

It's a bit unclear what is meant by "selector".

I tried -d udp.port==100:200. tshark started fine but it looks like only
100 is used.

Does it only support single values or can port ranges also be used?

3) performance
Generating a CSV file printing some fields from a PCAP file is quite slow.

Are there options or ways to speed it up?

Regards,
Ren� Scheibe