This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Disable protocol dissection in tshark?

0

Is there a hidden parameter I can use with tshark to disable the dissection of some protocol? Sure, I can edit the disabled protocols file, but I'm wondering if there's a more "dynamic" way to disable a protocol.

Thanks!

asked 09 Aug '11, 22:45

r0u1i's gravatar image

r0u1i
617712
accept rate: 0%


One Answer:

0

There's no tshark "hidden parameter" to disable dissection of a protocol.

tshark does have an option to only show packet details for a list of specified protocols but this is quite different than enabling a set of protocols. (That is: dissection takes place as per the enabled/disabled list, but the details for just the specified protocols (and those riding on same) are printed).

-O <protocols>           Only show packet details of these protocols, comma
                           separated

If I had a need to do this dynamically w/o making changes to tshark, I suspect I'd end up doing some scripting to create a disabled protocols file on-the-fly (and storing it in the right place) before invoking tshark.

If you think an option to specify a list of disabled protocols (or maybe a list of enabled protocols) might be a generally useful feature to include in tshark, feel free to provide a patch (or request an enhancement) at bugs.wireshark.org. :)

answered 10 Aug '11, 09:02

Bill%20Meier's gravatar image

Bill Meier ♦♦
3.2k1850
accept rate: 17%

edited 10 Aug '11, 09:05

Please note that the -O option only has effect on which protocols get expanded in the -V output.

(10 Aug '11, 09:13) SYN-bit ♦♦