Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Wireshark-users Digest, Vol 94, Issue 10

From: Mathias Koerber <mathias@xxxxxxxxxxx>
Date: Mon, 24 Mar 2014 09:21:14 +0800
I'm trying to have tshark decode a number of packets I got from an
strace(1) output (params of write, read, recvfrom etc).
Thus they are not including any layers below UDP..

I am using Perl's String::Unescape and Data::Hexdumper to
convert them to a format similar to what od(1) would output, then
   text2pcap -q -i 6 -u 10000,53
(as an example for a DNS packet) to make pcap input file
and then
   tshark -l -V -N t -r filename </dev/null >filename2 2>&1
to have tshark decode them.

However, that also decodes the dummy lower layers I had
text2pcap add to get a full packet.

1. Is there a way to not have to have text2cap add those
   dummy layers (ie, can I tell tshark that all it will find
   in the pcap file is UDP packet)?

If not:

2. Is there a way to have tshark only decode the UDP part
   and print it in -V detail?  I don't  need the full dummy
   info.

thanks
M