Is it possible to disable all TCP expert information in tshark when outputting JSON?

asked 2018-02-12 15:50:45 +0000

I need to parse dissector output of tshark. I use JSON with raw data via -T json -x. If tshark detects some retransmission (curiously not all) or other "fatal" errors in TCP, the payload of the encapsulated protocol does not get dissected any more. An example for this behaviour is shown below. This confuses my parser and is undesired in my case. I cannot make any assumptions about the payload protocol, so a kind of "whitelist" of dissectors is no option. --disable-protocols _ws.expert does not seem to have any effect. Same for -z "expert,note,tcp" or similar statistics options.

I couldn't find how to disable all TCP expert information in the tshark output. Is this possible? Alternatively force to print the dissection of the payload despite a "fatal expert error" would be sufficient for me.

...
    "tcp": {
      ...
      },
      "tcp.analysis": {
        "tcp.analysis.acks_frame": "194",
        "tcp.analysis.ack_rtt": "0.000656000",
        "tcp.analysis.flags": {
          "_ws.expert": {
            "tcp.analysis.retransmission": "",
            "_ws.expert.message": "This frame is a (suspected) retransmission",
            "_ws.expert.severity": "4194304",
            "_ws.expert.group": "33554432"
          },
          "tcp.analysis.rto": "-14.135924000",
          "tcp.analysis.rto_frame": "64"
        }
      },
      "tcp.segment_data": "3a:69:72:63:2d:73:65:72:76:65:72:2e:6c:6f:63:61:6c:20:50:4f:4e:47:20:69:72:63:2d:73:65:72:76:65:72:2e:6c:6f:63:61:6c:20:3a:4c:41:47:31:32:39:31:33:36:33:34:31:38:30:34:33:34:34:30:0d:0a"
    }
...
edit retag flag offensive close merge delete