How to use tshark to export the reassembled data for a custom protocol

asked 2023-08-29 08:09:59 +0000

Hello everyone,

As the title states I would like to know how to export the reassembled data using the tshark. From Wireshark GUI it seems to be working. First I apply the display filter "" and then File>"Export Packet Dissections">"As JSON" with "Packet Bytes" selected.

But in tshark a similar flow does not work.

I have tried the following

Enable the two-pass with -2 parameter Enable read filter with -R and filtering the packets where the reassembled data are attached Enable json output and hex, ASCII packet data with -x

so the complete command is tshark -2 -r ./test.pcap -R "filter to match the packets that the reassembled data will be attached" -x -T json > out.json

I have also tried without the "-R filter"

In both cases there is no reassemble information in any packet although I have enabled the 2 pass.

edit retag flag offensive close merge delete