This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Removing headers during live capture

0

Is there a method in which I can remove or filter headers keeping only the payload during a live capture via wireshark or tshark? I know that I can modify an existing capture using editcap.

asked 18 Aug '15, 13:07

NiCe85's gravatar image

NiCe85
6113
accept rate: 0%


One Answer:

1

No, this isn't possible. dumpcap (the tool which both Wireshark and tshark start to do the capture) does not process frames before writing them to disk.

answered 18 Aug '15, 16:37

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

Hi Jasper, when I run tshark with the following options "tshark -i -T fields -e data" I am able to get the output that I want. Is there an equivalent wireshark display filter

(20 Aug '15, 13:21) NiCe85

Well, you can filter on "data" but Wireshark will always show the full packet - that's because the "-T fields -e data" is a feature that selectively prints just the fields mentioned (it' not a "display filter" as such), while Wireshark always shows all fields.

(20 Aug '15, 14:14) Jasper ♦♦