Is there a hidden parameter I can use with tshark to disable the dissection of some protocol? Sure, I can edit the disabled protocols file, but I'm wondering if there's a more "dynamic" way to disable a protocol. Thanks! asked 09 Aug '11, 22:45  r0u1i |
One Answer:
There's no tshark "hidden parameter" to disable dissection of a protocol. tshark does have an option to only show packet details for a list of specified protocols but this is quite different than enabling a set of protocols. (That is: dissection takes place as per the enabled/disabled list, but the details for just the specified protocols (and those riding on same) are printed). If I had a need to do this dynamically w/o making changes to tshark, I suspect I'd end up doing some scripting to create a disabled protocols file on-the-fly (and storing it in the right place) before invoking tshark. If you think an option to specify a list of disabled protocols (or maybe a list of enabled protocols) might be a generally useful feature to include in tshark, feel free to provide a patch (or request an enhancement) at bugs.wireshark.org. :) answered 10 Aug '11, 09:02  Bill Meier ♦♦ edited 10 Aug '11, 09:05 |
Please note that the -O option only has effect on which protocols get expanded in the -V output.