How to use tshark to export the reassembled data for a custom protocol
Hello everyone,
As the title states I would like to know how to export the reassembled data using the tshark. From Wireshark GUI it seems to be working. First I apply the display filter "custom_protocol.reassembled.data" and then File>"Export Packet Dissections">"As JSON" with "Packet Bytes" selected.
But in tshark a similar flow does not work.
I have tried the following
Enable the two-pass with -2 parameter Enable read filter with -R and filtering the packets where the reassembled data are attached Enable json output and hex, ASCII packet data with -x
so the complete command is tshark -2 -r ./test.pcap -R "filter to match the packets that the reassembled data will be attached" -x -T json > out.json
I have also tried without the "-R filter"
In both cases there is no reassemble information in any packet although I have enabled the 2 pass.