Huge thanks to our Platinum Members Endace and LiveAction,
and our Silver Member Veeam, for supporting the Wireshark Foundation and project.

Wireshark-users: Re: [Wireshark-users] Question about tshark output

From: Jeff Morriss <jeff.morriss.ws@xxxxxxxxx>
Date: Tue, 4 Apr 2017 18:14:29 -0400


On Tue, Apr 4, 2017 at 10:13 AM, Remy Leone <remy.leone@xxxxxxxx> wrote:
Hello,

When I'm using tshark -x I sometimes get the following output:

Frame (129 bytes):
0000  60 00 00 00 00 59 11 08 bb bb 00 00 00 00 00 00   `....Y..........
0010  00 00 00 00 00 00 00 01 bb bb 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 01 00 00 45 5a 00 59 f4 8d   ..........EZ.Y..
0030  45 58 02 01 10 00 01 01 ff 01 01 01 01 01 01 01   EX..............
0040  01 02 02 02 02 00 00 00 00 00 00 00 00 00 00 31   ...............1
0050  41 e8 9f fe ca ff ff 03 00 00 00 cc 92 15 14 7a   A..............z
0060  3b 3a 1a 9b 01 15 c9 00 00 02 50 88 33 00 00 bb   ;:........P.3...
0070  bb 00 00 00 00 00 00 14 15 92 cc 00 00 00 01 db   ................
0080  9e                                                .

Decompressed 6LoWPAN IPHC (68 bytes):
0000  60 00 00 00 00 1c 3a 40 fe 80 00 00 00 00 00 00   `.....:@........
0010  16 15 92 cc 00 00 00 03 ff 02 00 00 00 00 00 00   ................
0020  00 00 00 00 00 00 00 1a 9b 01 15 c9 00 00 02 50   ...............P
0030  88 33 00 00 bb bb 00 00 00 00 00 00 14 15 92 cc   .3..............
0040  00 00 00 01                                       ....

Is there a way to tell to Wireshark to just display the Frame and not decompress anything?

 There is currently no 6LoWPAN option to disable such decompression and I'm not aware of an option to disable it on a global basis.  So, no, I don't think there's a way to turn that off.