Do not decode above tcp.port and output as text
Hi all,
It might be that the answer is already written somewhere, but I havent't been able find it.
This siutation is as follows: we capture network traffic to process data from one particular port. After doing the capture, we convert it to a comma separate file using:
tshark.exe -r input.pcapng -o data.show_as_text:TRUE -F logcat-long -eframe.time_epoch -eip.src -eip.dst -edata.text -Tfields "tcp.analysis.push_bytes_sent and tcp.port == 10001" > output.csv
Most of the time this works great. However, one time we got a session that was interpreted as irc. This lead to the column data.text being empty for that session.
I am thinking of adding --disable-protocol irc as extra argument to never have the issue again for irc.
However, I was wondering whether there are better arguments to also achieve the same results.
I did notice that the -C option can be used to specify a configuration file. These tests are running on multiple machines, so I would prefer to have a command-line only option.
Also the tcp.payload which can be outputed by replacing -edata.text with -etcp.payload, but that only contains numbers and not the text.
Does anybody have a good suggestions for command line parameters to use?