Hi, Is is possible to set the comment for an individual packet using tshark? I see in the man page this can be done for the capture comment with --capture-comment <comment> but is there a way to specify an individual packet by packet number? Many Thanks asked 21 Jun '15, 10:37  Marv |
One Answer:
No, you can't do that with tshark (not implemented). However, you can add packet level comments in Wireshark (right click a frame and choose "Packet comment") and then save the file as a pcapng to preserve the comments. Regards answered 21 Jun '15, 10:51  Kurt Knochner ♦ edited 21 Jun '15, 10:53 |
Thanks Kurt,
It would be great if tshark could do this, I wonder if this will be available in later versions?
Cheers
I don't know. There is no feature "roadmap" for Wireshark. So, if you need this feature please file an enhancement but at https://bugs.wireshark.org and hope that somebody has time to implement it. I think it should be a feature for editcap, instead of tshark.
Had a chat with Martin about this at Sharkfest, he very kindly added this to editcap with the -a option:
-a <framenum>:<comment> Add or replace comment for given frame number
https://github.com/wireshark/wireshark/commit/dd16c55e9f830e6febf5484a7a71ca0abd05bf16
Cheers