This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Noob question here. I wanted to see the performance difference between having all the dissectors turned on vs. only those for the protocols that I was interested in. I ran:

tshark -r dump.pcap -qz io,phs

I can see the following protocols used: eth, ip, tcp, udp, icmp, igmp, arp. After adding all of these from the dissectors list I only get dissection up the the ethernet layer, for every packet, everything else it just treats as 'data'. What am I missing?

asked 27 Aug '14, 13:31

Blackdragon1400's gravatar image

Blackdragon1400
16337
accept rate: 0%


What am I missing?

ethertype ?

Enable all the protocols and then, for a random sample of frames in your capture, look (with wireshark) in the details pane under 'frame' at the generated field 'protocols in frame' to see the list of protocols in the frame.

permanent link

answered 27 Aug '14, 18:05

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 27 Aug '14, 18:05

Ethertype was it, thanks for the help. Is there a tshark command that won't miss that?

Obviously I could use tshark -Tfields -e frame.protocols, but I'm just curious why -qz doesn't include it.

(28 Aug '14, 08:34) Blackdragon1400

I don't know....

(28 Aug '14, 08:54) Bill Meier ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×1,620
×832
×637

question asked: 27 Aug '14, 13:31

question was seen: 1,282 times

last updated: 28 Aug '14, 08:54

p​o​w​e​r​e​d by O​S​Q​A