This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Enabled protocols (negation of disabled proto)

0

I'm using tshark and I'm interested in only dissecting eth and tcp for performance issues.

How can I easily disable all protocols except eth and tcp? Do I have to list all protocols, and disable them except eth/tcp, or there's an easy "dissect only these protocols" option?

I've thought about reducing snaplen, but you never know length of IP/TCP options...

Thanks!

asked 26 Nov '15, 09:31

TomLaBaude's gravatar image

TomLaBaude
66171724
accept rate: 66%


One Answer:

1

How can I easily disable all protocols except eth and tcp?

If you do exactly that, you will not see any TCP traffic, because TCP runs atop IPv4 and IPv6, and if you disable all protocols except Ethernet and TCP, you will disable IPv4 and IPv6, so they won't ever dissect anything and thus won't hand anything to the TCP dissector.

So what you need to do is to disable everything except Ethernet, IPv4, IPv6, and TCP.

Do I have to list all protocols, and disable them except eth/tcp

You can't conveniently do that in TShark - it's a big list - but you can, at least with newer versions of Wireshark, somewhat conveniently disable them in Wireshark and then use TShark, which will use the same list of enabled and disabled protocols.

What you'd do would be to open the "Disabled Protocols" dialog, click "Disable All", and then enable Ethernet, IPv4, IPv6, and TCP.

With current versions of Wireshark, you will also have to enable a protocol named "Ethertype"; that's not a real protocol, and it shouldn't be possible to disable it, but, currently, it is possible. I've fixed that so that you don't have to enable it, but that won't show up until there's a 2.0.1 release.

That's a persistent change, so if you do want to dissect other protocols in the future, you'll have to re-enable all protocols.

or there's an easy "dissect only these protocols" option?

No, there isn't. In order to be able to do it non-persistently with a TShark command-line option, a "disable all protocols other than these" option would have to be added to TShark; if you want that, file a request on the Wireshark Bugzilla.

answered 26 Nov '15, 12:40

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Thanks for answer Guy (and thanks to remind me that there's life between layer 2 and layer 4!)

So my plan is to create a profile in wireshark and generate a disabled_protos file from the GUI, and then use this personal profile in tshark

(27 Nov '15, 01:41) TomLaBaude