How to reference .proto files to tshark

asked 2025-09-09 15:03:01 +0000

Aminekhdh
1 ●1 ●2 ●1

I am trying to use a lua script that dissects protobuf messages, when I use wireshark and add my proto folder to the Protobuf Search Paths, everything works and I see my dissectors working, now I want to use tshark because I need it in a context of an automation and I only built tshark, from the script I am using I can see that the lua script is working and even the someip messages being decoded correctly, when it comes to protobuf that's where I get a wrong result, I guess the built in protobuf dissector is being used instead of the one that I have in my plugin.

Here is a sample of the result: 
"_ws.lua.fake": "",
        "protobuf": {
          "Message: <UNKNOWN>": {
            "protobuf.message.name": "<UNKNOWN>",
            "Field(1): 106 (uint32)": {
              "protobuf.field.name": "<UNKNOWN>",
              "protobuf.field.number": "1",
              "protobuf.field.wiretype": "0",
              "protobuf.field.value": "6a",
              "protobuf.field.value_tree": {
                "protobuf.field.value.uint32": "106"

I have searched for an option to make tshark find the .proto files something like protocol_search_paths but nothing I have tried worked so far, do you know if there is a way to do this?

answered 2025-09-10 07:26:21 +0000

Aminekhdh
1 ●1 ●2 ●1

updated 2025-09-11 08:05:52 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23850 ●4 ●990 ●227 https://www.wireshark.org

I have finally found the solution for this, maybe someone else might need it in the future, tshark was finally able to use my .proto files when I used the preference protobuf_search_paths:

The command is:

tshark ... -o  uat:protobuf_search_paths: "/path/to/protofolder","TRUE"

don't forget to escape special characters like so otherwise it won't work :

"uat:protobuf_search_paths:\"/path/to/protofolder\",\"TRUE\""

edit flag offensive delete link

Comments

You can also add that to your preference file to make it permanent.

If you run Wireshark, you select Preferences from the Edit menu (non-Macs) or the Wireshark menu (Macs), open Protocols from the list on the left, search for "ProtoBuf" in that list (type "P" enough times and it'll get you to the protocols with names beginning with "P"), and click "Edit:" to edit the list of paths.

Guy Harris ( 2025-09-10 07:59:20 +0000 )edit

Thanks Harris for the fast comment, in our context I need to use tshark capabilities in a fully automated system, it was great to find that I can use the command line like that, I know the preference setting can be a one time thing but I would like to reduce any manual dependency as much as I can

Aminekhdh ( 2025-09-10 10:30:14 +0000 )edit

You can also use -C on the command line with TShark to select particular configuration profiles other than the default, which can be useful for automation. Note that TShark without that option will always use the Default profile, unlike Wireshark which uses the last selected profile.

johnthacker ( 2025-09-10 12:18:14 +0000 )edit

@Aminekhdh, generally we don't close answered questions, instead accept the answer by clicking the checkmark icon next to the answer.

grahamb ( 2025-09-11 08:07:25 +0000 )edit

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

How to reference .proto files to tshark

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to reference .proto files to tshark edit

1 Answer

Comments

Your Answer

Question Tools

Stats

Related questions

How to reference .proto files to tshark