This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Is tshark able to use plugin dissectors?

0

I have a dissector to decode the payload for an RTPS payload and it works fine in wireshark, but tshark does not seem to recogize the hand-off from RTPS to my sub-dissection routine.

Is there a way for tshark to be able use plugin dissectors. A command-line solution would be nice to use for automated checking of pcap files.

I have googled this as many ways as I can think of and can't seem to find an answer.

Thanks for any advice or suggestions.

asked 30 Jul '14, 13:17

FlanOSU's gravatar image

FlanOSU
16114
accept rate: 0%

Does your dissector require 2 pass dissection? Try passing command line option '-2' to tshark.

(30 Jul '14, 13:24) Jaap ♦

One Answer:

1

I would expect it to "just work".

(IOW: if a plugin works OK with wireshark, it should also be OK with tshark)

A long shot: what happens if you use tshark -2 ... ?

In any case, what platform/OS/version are you using ?

answered 30 Jul '14, 13:23

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 30 Jul '14, 13:25

I am running on a vm of Linux (RHEL 5).

The two pass option got me going in the right direction. I have to process the DDS publications in order to get a list of "upcoming" messages by GUID. I then have to use the GUID to correctly decode my payloads, which don't have typical header information like message id, length, etc...

I had an older version of wireshark/tshark that doesn't seem to support the two pass feature, but the latest wireshark build I was working with handles it correctly. Thanks for the assistance.

(30 Jul '14, 14:42) FlanOSU