I have a dissector to decode the payload for an RTPS payload and it works fine in wireshark, but tshark does not seem to recogize the hand-off from RTPS to my sub-dissection routine. Is there a way for tshark to be able use plugin dissectors. A command-line solution would be nice to use for automated checking of pcap files. I have googled this as many ways as I can think of and can't seem to find an answer. Thanks for any advice or suggestions. asked 30 Jul '14, 13:17  FlanOSU |
One Answer:
I would expect it to "just work". (IOW: if a plugin works OK with wireshark, it should also be OK with tshark) A long shot: what happens if you use In any case, what platform/OS/version are you using ? answered 30 Jul '14, 13:23  Bill Meier ♦♦ edited 30 Jul '14, 13:25 I am running on a vm of Linux (RHEL 5). The two pass option got me going in the right direction. I have to process the DDS publications in order to get a list of "upcoming" messages by GUID. I then have to use the GUID to correctly decode my payloads, which don't have typical header information like message id, length, etc... I had an older version of wireshark/tshark that doesn't seem to support the two pass feature, but the latest wireshark build I was working with handles it correctly. Thanks for the assistance. (30 Jul '14, 14:42) FlanOSU |
Does your dissector require 2 pass dissection? Try passing command line option '-2' to tshark.