This is a static archive of our old Q&A Site. Please post any new questions and answers at

Can tshark use ‘-e ' values generated within a custom lua disector?



I am capturing some packets that contains private headers within the payload. I have written a quick & dirty lua dissector to decode these headers and everything works well from inside wireshark. That is I am able to "decode as" and see my proprietary headers within wireshark as expected.

I am now attempting to do the same from cmd line tshark with something like this:

tshark -X lua_script:foo.lua -r capture_file -T fields -e -e

Unfortunately my private fields are not being displayed which leads me to believe I am missing the "decode as" as step that I performed above. Is there a tshark equivalent to this step?

Is there a way to have tshark make use of the ~/.wireshark/decode_as_entries file?

Thanks for any help, Jax

asked 22 Jul '13, 13:18

Jaxon's gravatar image

accept rate: 0%

One Answer:


From tshark -h:

  -d <layer_type>==<selector>,<decode_as_protocol> ...
                           "Decode As", see the man page for details
                           Example: tcp.port==8888,http

answered 22 Jul '13, 14:30

SYN-bit's gravatar image

SYN-bit ♦♦
accept rate: 20%