Ask Your Question
0

How to enable the analyze protocol with editing config file

asked 2021-07-21 01:51:55 +0000

lhe gravatar image

I would like to enable the analyze protocol mac-nr for tshark. I know usually we can edit it through wireshark GUI (Analyze->Enabled Protocols), but my env can't bring up the wireshark GUI, and we only need to use the tshark.

Have tried to add the mac-nr into the personal config file : ~/.config/wireshark/enabled_protos, but seems it can't take effect.

Which file should I modify to enable the protocols?

Thanks!

edit retag flag offensive close merge delete

Comments

And is there any method/cmd which can list all the enabled protocols? (without using GUI). Thanks.

lhe gravatar imagelhe ( 2021-07-21 01:54:36 +0000 )edit

To make tshark use a personal config file, pass in the config name with the -C option.

grahamb gravatar imagegrahamb ( 2021-07-21 08:51:48 +0000 )edit

Hi, The protocol sholuld be enabled by default but I think it's on of the decoders tha needs information on the channel configuration Looking atthe code there seems to be preferences that can be filled in. Not sure how to do that with tshark.

Anders gravatar imageAnders ( 2021-07-21 10:28:00 +0000 )edit

Thanks all for the comments. I edited the config file under the default personal config file path of the wireshark which doens't help. If I add the full path and filename (~/.config/wireshark/enabled_protos) after '-C', it always report profile does not exist. :( mac-nr is disabled by default since not lots of people need it. Thanks

lhe gravatar imagelhe ( 2021-07-21 14:13:45 +0000 )edit

Passing the profile name works for me (in Windows). I have created a new profile first though.

grahamb gravatar imagegrahamb ( 2021-07-21 14:41:03 +0000 )edit

1 Answer

Sort by ยป oldest newest most voted
0

answered 2021-07-21 07:56:38 +0000

BigFatCat gravatar image

updated 2021-07-21 08:50:13 +0000

grahamb gravatar image

The tshark option to enable a protocol is --enable-protocol, e.g.

--enable-protocol mac-nr

The tshark option to list all the dissectors is -G dissector-tables. I would use ">" to redirect the output to a file because the list is long.

edit flag offensive delete link more

Comments

Thank you for your answer. I've tried the --enable-protocol, but it can't work for me. For the " -G dissector-tables" output, seems I can't see all the enabled dissectors in the output. (for example, the protocol AAF is enabled by default, but I can't find in the output :( )

I also tried "-G protocols", the output listed much more, also see the mac-nr. I think it lists all the supported protocols but not only enabled one. thanks.

lhe gravatar imagelhe ( 2021-07-21 14:43:50 +0000 )edit

proto_mac_nr is registered as a heuristic (packet-mac-nr.c):

    /* Add as a heuristic UDP dissector */
    heur_dissector_add("udp", dissect_mac_nr_heur, "MAC-NR over UDP", "mac_nr_udp", proto_mac_nr, HEURISTIC_DISABLE);


Try with the tshark--enable-heuristic <short_name> option.

You might want to test in Wireshark with a known good capture to see what preferences may need to be set. (using the tshark option -o)

~$ tshark -G heuristic-decodes | grep -i mac
udp     mac-nr  F
udp     mac-lte F
Chuckc gravatar imageChuckc ( 2021-07-21 15:08:58 +0000 )edit

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

Stats

Asked: 2021-07-21 01:51:55 +0000

Seen: 52 times

Last updated: Jul 21