I have configured my Default profile to include a custom field for the ldap.response_in value. In Wireshark, it works great, but in tshark, the values are empty. This Windows command line returns empty lines for the 6 hits on "ldap.request || ldap.response" filter:
asked 28 Jul '11, 08:23
edited 28 Jul '11, 15:59
Tshark does one pass through the tracefile while wireshark displays packets only after analysing them all first. That's why Wireshark knows when (in the future) a response will be given to a paricular request. tshark however has no knowledge about "the future", so it does not know which packet the response will be in.
There is an undocumented option in tshark to make it do a 2-pass analysis, just like Wireshark. But I'm not sure how complete that functionality is at the moment (I have never used it myself). You can always try of course... The command line option that you have to use is "-P".
answered 28 Jul '11, 11:18