This is our old Q&A Site. Please post any new questions and answers at

Is there a method in which I can remove or filter headers keeping only the payload during a live capture via wireshark or tshark? I know that I can modify an existing capture using editcap.

asked 18 Aug '15, 13:07

NiCe85's gravatar image

accept rate: 0%

No, this isn't possible. dumpcap (the tool which both Wireshark and tshark start to do the capture) does not process frames before writing them to disk.

permanent link

answered 18 Aug '15, 16:37

Jasper's gravatar image

Jasper ♦♦
accept rate: 18%

Hi Jasper, when I run tshark with the following options "tshark -i -T fields -e data" I am able to get the output that I want. Is there an equivalent wireshark display filter

(20 Aug '15, 13:21) NiCe85

Well, you can filter on "data" but Wireshark will always show the full packet - that's because the "-T fields -e data" is a feature that selectively prints just the fields mentioned (it' not a "display filter" as such), while Wireshark always shows all fields.

(20 Aug '15, 14:14) Jasper ♦♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 18 Aug '15, 13:07

question was seen: 1,475 times

last updated: 20 Aug '15, 14:14

p​o​w​e​r​e​d by O​S​Q​A