Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: [Wireshark-users] tshark print raw data with -T fields (for partial ssl records)

From: Lee Mighdoll <lee@xxxxxxxxxxxxx>
Date: Mon, 29 Apr 2013 16:08:54 -0700
I'm printing a dozen fields or so from a trace with a limited snap length.  Works great, but the thirteenth field is unfortunately not decoded from partially captured packets.  

Is there a way to print the raw data along with -T fields?  -x and -T fields don't mix...  I suppose I could run tshark twice once with -x and once with -T fields and correlate the output, but I'm hoping there's an easier way.  I see some references on the web to an option for -e data, but that doesn't print anything when I try it (on tshark 1.8.2).

Alternately, is there anyway to convince the ssl packet parser to emit the fields that it has recognized from a partial record?  In particular, I'd like to know that the header for ssl record type 23 (application data) has been captured, even though tcpdump hasn't captured the entire contents of the application data itself.

Cheers,
Lee