I am trying to parse XMPP messages. Looks like some attribute/elements are unknown. For each this attribute/element, there is "expert info" next to it. It is kind of annoying and make hard to read the packet info. Following is a screen capture. Is there any way to remove expert info from the display window? |
No, there's no way to do that (short of modifying Wireshark's source code). Can I ask why you'd want to? Just updated my question above.
(08 Feb '16, 11:24)
yacare
In that case, and assuming that the highlighted fields actually are valid XMPP, I'd suggest opening an enhancement request (with a sample capture) asking Wireshark to correctly decode those fields (that is, make Wireshark understand them/decode them so it stops noting that it didn't understand/decode them).
(08 Feb '16, 11:29)
JeffMorriss ♦
|
To answer my question, expert info will not be shown when wireshark runs in command line with tshark.
Odd... That actually sounds like a bug to me. Does it behave differently if you give the "-2" or "-Y"/"-R" options?
(12 Feb '16, 07:25)
JeffMorriss ♦
Please don't fix it if it is indeed a bug. :) Here is what I used. tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269" I don't see any difference with -2 option. tshark -X lua_script:xmpp.lua -r vhost0.pcap -O xmpp -Y "tcp.port==5269" -2
(12 Feb '16, 07:31)
yacare
|