I have a problem getting tshark to decode packets as http2. The traffic I am analysing contains http2 on several differemt ports, 5070,5080,7070 and 8080. I'm decoding using: tshark -T json -x -n -r test.pcap -d tcp.port==7070,http2 -d tcp.port==5070,http2 -d tcp.port==5080,http2 -d tcp.port==8080,http2 > output.json
If I try to decode all captured packets, tshark will not decode all packets as http2, some will only be tcp. However, if I select some none decoded packets and save them in a new pcap-file and then run tshark on that file, tshark successfully decodes them into http2.
Why and is there a way to force tshark to decode all packets on e.g. port 7070 as http2, irrelevant of the overall packet flow?