Export packets in “Decode as” format

Question

I'm trying to export a packet capture, which is decoded as "PEEKREMOTE". For example: tshark -r -d udp.port==5000,peekremote <file.pcap> ...and I'd like to save/export the 'decoded version' of file.pcap. Is that possible in either tshark or wireshark?

Accepted Answer

Is that possible in either tshark or wireshark?

No, that's not possible, as the "Decode as" action is only performed within Wireshark/tshark while it is running. If you save a decoded capture file, there will be no information added about your special configuration (decoding port 5000 as PEEKREMOTE).

Solution: If you want to have that as a permanent option, you can change the Wireshark preferences.

Select one of those packets with port 5000
then >Analyze -> Decode As -> Transport [tab] -> PEEKREMOTE (will only show up for UDP frames)
click Apply
click Show current
click Save

Wireshark will now save your 'Decode As' setting to the file 'decode_as_entries' in the folder %APPDATA%\Wireshark\, or a sub-folder if you are using profiles. Just search for the file name.

Content of decode_as_entries

# "Decode As" entries file for Wireshark 1.11.0-SVN-52212.
#
# This file is regenerated when saving the "Decode As..." list.
# So be careful, if you want to make manual changes here.
######## Decode As table entries, can be altered through command line ########
decode_as_entry: udp.port,5000,(none),PEEKREMOTE

Regards
Kurt

Answer 2

What do you mean by "export" and "decoded"? [Wire|t]shark can print the protocol tree as text or various forms of ML. Look under the File | Export Packet Dissections ... menu in Wireshark, and look at the -T options for tshark.