1 | initial version |
Can you do it with the ip.proto
field?
2 | No.2 Revision |
Can you do it with the ip.proto
field?
Or disable the dissectors for the application layers: (ignore ref to data.data for your use) https://ask.wireshark.org/question/11887/tshark-get-only-application-level-data-bytes/
Brute force might be to have a profile with all protocols disabled except ethernet, ipv4, ipv6?, tcp and udp. Use "-C" to specify the profile to load and print the data.data field.
tshark -r .\http-riverbed-one.pcapng -C data_data -e "data.data" -Tfields -Y data.data > tmp.fil