René Scheibe <rene.scheibe@...> writes:
> I have 3 questions concerning tshark.
>
> 1) field aggregation
> With -E occurrence='a' field values can be aggregated when a field
> occurs multiple times.
>
> Can this aggregation be configured per field or is it only possible to
> do it globally for a fields?
Currently, this option applies uniformly to all fields.
> 2) dissector mapping
> With <layer type>==<selector>,<decode-as protocol> it can be specified
> which dissector to use.
>
> It's a bit unclear what is meant by "selector".
>
> I tried -d udp.port==100:200. tshark started fine but it looks like only
> 100 is used.
>
> Does it only support single values or can port ranges also be used?
When you asked the question, Wireshark did not yet support port ranges. As of
r45734, it now does. If you don't want to wait for the next Wireshark
development release or for 1.10, you can get this functionality by downloading
any automated release version after r45734 from
http://www.wireshark.org/download/automated/ or by downloading the Wireshark
sources and compiling it yourself.
> 3) performance
> Generating a CSV file printing some fields from a PCAP file is quite slow.
>
> Are there options or ways to speed it up?
Maybe. There's the obvious like trying it on a faster machine, or trying to
process fewer packets through various filtering techniques. You could also try
profiling the code to attempt to identify code regions that consume the most
time, then trying to optimize the slow code paths, possibly re-writing the code
altogether to attempt to achieve better performance.
