Is there a method in which I can remove or filter headers keeping only the payload during a live capture via wireshark or tshark? I know that I can modify an existing capture using editcap. asked 18 Aug '15, 13:07  NiCe85 |
One Answer:
No, this isn't possible. dumpcap (the tool which both Wireshark and tshark start to do the capture) does not process frames before writing them to disk. answered 18 Aug '15, 16:37  Jasper ♦♦ |
Hi Jasper, when I run tshark with the following options "tshark -i -T fields -e data" I am able to get the output that I want. Is there an equivalent wireshark display filter
Well, you can filter on "data" but Wireshark will always show the full packet - that's because the "-T fields -e data" is a feature that selectively prints just the fields mentioned (it' not a "display filter" as such), while Wireshark always shows all fields.