This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to disable dissectors in tshark?

0

This works:

tshark -r $pcap -R 'tcp.seq==1 and tcp.flags.push==1' -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e data ...but when the payload is recognized as SSL or HTTP, the data does not get output. I want to turn off ALL decoding.

This is the parameter that I wish exists:

-d tcp.port==any,nodecode ...or something like that.

Any ideas?

asked 14 Mar '12, 13:12

rafs's gravatar image

rafs
6225
accept rate: 50%

edited 14 Mar '12, 13:38

I found that you can override 'preferences' for which ports are associated with which protocol. This isn't exactly what I was looking for, but works to stop http and https dissectors from intercepting my output. Good enough for now, I guess.

-o http.tcp.port:0 -o http.ssl.port:0

I think there might be a way to turn all off. Wireshark allows this via "Do not decode" in the GUI, but I am not sure what's going on...

(14 Mar '12, 17:07) rafs

One Answer:

3

In your wireshark preferences folder(1) there is a file called "disabled_protos" which contains all the protocols that wireshark shoudl not dissect. If you use configuration profiles, look in the specific configuration profile that you are using (instead of the general preferences folder).

(1) If you don't know the location of your preferences folder, look at the "Help -> About Wireshark" page and click on the "Folders" tab.

answered 14 Mar '12, 17:21

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

edited 14 Mar '12, 17:22

Hi SYN-bit. Thanks for the response. I created a new Configuration Profile called 'disable_some_protos' and then disabled the protocols that I wanted disabled using Wireshark GUI on my WINXP. I see that my personal configuration profiles are in the folder: C:\Documents and Settings\<myusername>\Application Data\Wireshark\profiles\disable_some_protos ..and it has cfilters, disabled_protos, preferences, recent.

(14 Mar '12, 21:16) rafs

How do I apply the 'disabled_protos' file to my tshark command?

(15 Mar '12, 14:31) rafs

from the tshark help: "-C <config profile=""> start with specified configuration profile"

(15 Mar '12, 14:39) grahamb ♦

This works...

$ tshark -r http01.pcap -R 'tcp.seq==1 && tcp.flags.push==1' -T fields -e ip.src -e tcp.srcport -e ip.dst -e tcp.dstport -e data -C disable_some_protos

...but what about a portable solution, like including this command in a script? How do I set the search path for config profiles?

(15 Mar '12, 17:40) rafs

What is not portable in the command above? How will it not work in a script?

There is no "search path" for profiles, they are always stored in your preferences folder under "profiles/<profile_name>"

(17 Mar '12, 02:08) SYN-bit ♦♦

I wanted to bundle the configuration profile with the script and give it to co-workers. In this case, the coworkers have to find out where their config profiles are stored then copy the profile there. Not a big deal. Anyways, thanks for the help. It is already very useful. I love tshark. Cheers.

(24 Mar '12, 15:25) rafs

In Windows, the Wireshark personal profiles are stored in %APPDATA%\Wireshark\profiles (e.g., "C:\Users\Tony\AppData\Roaming\Wireshark\profiles"). Your script could automatically copy the files to that path, using the %APPDATA% environment variable.

(24 Mar '12, 16:05) helloworld

I've just tried this with TShark 1.10.2 (SVN Rev 51934 from /trunk-1.10) but it says the profile doesn't exist. There was no ...\Wireshark\profiles folder but when I created one and moved my profile file there is still gave the same error.

C:\Data>tshark -C my_protos -r Sample.cap -Tfields -eframe.time -eip.src -eip.dst -edata > data.txt tshark: Configuration Profile "my_protos" does not exist

(09 Oct '13, 02:44) wiggers

What is the output of dir %APPDATA%\Wireshark\Profiles?

(09 Oct '13, 03:00) grahamb ♦

It finds my_protos.

(09 Oct '13, 03:35) wiggers

Under the %APPDATA%\Wireshark\Profiles directory you should have a directory named for the profile, and in that some files, e.g. preferences and recent.

(09 Oct '13, 07:02) grahamb ♦

There was no Profiles folder, just %APPDATA%\Wireshark, until I created one myself.

09/10/2013 10:28 40 disabled_protos 09/10/2013 10:34 <DIR> profiles 09/10/2013 11:52 2,086 recent 09/10/2013 11:52 1,733 recent_common

(09 Oct '13, 08:00) wiggers

And what is the contents of your my_protos directory, i.e., dir %APPDATA%\Wireshark\profiles\my_protos\?

(09 Oct '13, 08:33) cmaynard ♦♦

OK, finally got it to work.

  1. Create a new profile in Wireshark
  2. Copy disabled_protos to the profile folder
  3. Edit disabled_protos to disable the undesired protocols
  4. Use the tshark switch -C <profile> where 'profile is the name of the profile and not the file containing the protocols.

This seems to have defeated the ability to have multiple different protocol files that you can switch between programmatically. Now you have to create a profile for every different list. Congratulations to whoever thought that was a good idea!

(14 Oct '13, 04:31) wiggers

@wiggers, I'm not entirely sure what your specific gripe is, and at this point I don't really care. But it seems that because you failed to read the user guide to find out what configuration profiles are all about and how to easily create them, you:

  • Didn't understand much about them.
  • Struggled unnecessarily to create one and effectively use it.
  • Wasted others' time trying to help you.
  • Decided that because the configuration profiles didn't meet your specific use case (whatever it might be) that you should mock the feature.

Well, just so you know, your sarcasm is neither welcome nor appreciated here and isn't a particularly good way to encourage anyone to help you in the future.

(14 Oct '13, 16:05) cmaynard ♦♦

The link you give is to "Chapter 10. Customizing Wireshark". I was trying to find out how to use tshark, the man page for which states baldly "-C <configuration profile=""> - Run with the given configuration profile." This gives no indication that this is a special Wireshark profile. I erroneously assumed that this <configuration profile=""> was a file containing the required settings, instead of a folder containing a number of Wireshark configuration files. This, to my mind being a novice with Wireshark, is counter-intuitive. The community here are no doubt all experienced users laughing at the newbie who doesn't understand the convoluted way things are set up and that all the tools are interdependent, instead of usefully standalone. It was my time that was wasted if anyone's!

(15 Oct '13, 01:18) wiggers

@wiggers, please consider this. Wireshark is an open source project not a commercial product. There is no entitlement for quick 'support response times' nor any SLA to fulfill. The product may have bugs (including the docs) as any other software. However, in the case of Wireshark there is no vendor to blame for and nobody to demand a fix from, as you payed nothing for Wireshark.

So, if you think the docs are misleading, why don't you give back to the Wireshark community by fixing the misleading documentation?

It was my time that was wasted if anyone's!

After all Wireshark helped you to solve whatever problem you might have had. This was possible due to the effort of the numerous developers and those who answered your questions on this site. All of them do this in their spare time. No one needs to do any of that!

Giving some credit to those people is the least you could do. Even better: post a fix for the misleading docs, now that you understand profiles and know what needs to be fixed ;-)

(15 Oct '13, 06:26) Kurt Knochner ♦

There is no entitlement for quick 'support response times' nor any SLA to fulfill.

At no time have I indicated this was what I was expecting. My only adverse comment was a tongue-in-cheek one about the need to use a GUI to create a profile for a command line tool and the ambiguity of whether a 'profile' was a file or a folder. This is basic poor workmanship. It doesn't matter if it is a commercial product or something knocked up in your mum's back bedroom. If you make a change to the way something works you must document it. Don't wait for someone else to figure what you've done and do your documentation for you. I have wasted hours reading this forum and trying out the solutions given only to find that the design or implementation has changed so the solutions no longer work.

(15 Oct '13, 06:39) wiggers

I have wasted hours reading this forum and trying out the solutions given only to find that the design or implementation has changed so the solutions no longer work.

So, now that you know how it works, why don't you fix the docs?

I wonder how much time you would have wasted if you had tried to solve your problem with another sniffer and how much you would have payed?

Anyway, I don't like flame wars in general and especially not on this site, so if you want to contribute anything: Do so and fix the docs or make a proposal how to fix it. If you just want to use Wireshark without giving back: Do that

This is basic poor workmanship.

In either case (see above), if you think you can do it better. Do so

(15 Oct '13, 06:47) Kurt Knochner ♦
showing 5 of 19 show 14 more comments