This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

What dissectors am I missing? All analysis stops at Ethernet II

0

Noob question here. I wanted to see the performance difference between having all the dissectors turned on vs. only those for the protocols that I was interested in. I ran:

tshark -r dump.pcap -qz io,phs

I can see the following protocols used: eth, ip, tcp, udp, icmp, igmp, arp. After adding all of these from the dissectors list I only get dissection up the the ethernet layer, for every packet, everything else it just treats as 'data'. What am I missing?

asked 27 Aug '14, 13:31

Blackdragon1400's gravatar image

Blackdragon1400
16337
accept rate: 0%


One Answer:

0

What am I missing?

ethertype ?

Enable all the protocols and then, for a random sample of frames in your capture, look (with wireshark) in the details pane under 'frame' at the generated field 'protocols in frame' to see the list of protocols in the frame.

answered 27 Aug '14, 18:05

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 27 Aug '14, 18:05

Ethertype was it, thanks for the help. Is there a tshark command that won't miss that?

Obviously I could use tshark -Tfields -e frame.protocols, but I'm just curious why -qz doesn't include it.

(28 Aug '14, 08:34) Blackdragon1400

I don't know....

(28 Aug '14, 08:54) Bill Meier ♦♦