Do not decode above tcp.port and output as text

asked 2021-03-08 12:15:14 +0000

Hi all,

It might be that the answer is already written somewhere, but I havent't been able find it.

This siutation is as follows: we capture network traffic to process data from one particular port. After doing the capture, we convert it to a comma separate file using:

tshark.exe -r input.pcapng -o data.show_as_text:TRUE -F logcat-long -eframe.time_epoch -eip.src -eip.dst -edata.text  -Tfields "tcp.analysis.push_bytes_sent and tcp.port == 10001" > output.csv

Most of the time this works great. However, one time we got a session that was interpreted as irc. This lead to the column data.text being empty for that session.

I am thinking of adding --disable-protocol irc as extra argument to never have the issue again for irc. However, I was wondering whether there are better arguments to also achieve the same results.

I did notice that the -C option can be used to specify a configuration file. These tests are running on multiple machines, so I would prefer to have a command-line only option.

Also the tcp.payload which can be outputed by replacing -edata.text with -etcp.payload, but that only contains numbers and not the text.

Does anybody have a good suggestions for command line parameters to use?

edit retag flag offensive close merge delete