 | 1 | initial version |
Can you do it with the ip.proto field?
| | 2 | No.2 Revision |
Can you do it with the ip.proto field?
Or disable the dissectors for the application layers: (ignore ref to data.data for your use) https://ask.wireshark.org/question/11887/tshark-get-only-application-level-data-bytes/
Brute force might be to have a profile with all protocols disabled except ethernet, ipv4, ipv6?, tcp and udp. Use "-C" to specify the profile to load and print the data.data field.
tshark -r .\http-riverbed-one.pcapng -C data_data -e "data.data" -Tfields -Y data.data > tmp.fil
Copyright Wireshark Foundation, 2017-2023 Content on this site is licensed under a Creative Commons Attribution Share Alike 3.0 license.
