Lightweight tshark?

asked 2018-07-27 17:30:22 +0000

updated 2018-07-27 19:13:10 +0000


Is it possible to build a lightweight version the latest stable release of tshark, with a limited subset of dissectors, assuming this is what takes up most of the space? I'm using CentOS 7.


answered 2018-07-27 19:47:01 +0000

It might be possible to do so, but the person attempting to do so would have to do all the work. They would have to remove dissectors from the or CMakeLists.txt files, and then make sure there are no places where a dissector not removed depends on a dissector that was removed.

I was worried you'd say that. I found a section on the wiki where someone had uploaded their patch file for version 1.x but it looked pretty involved. I was hoping for a simple build option where you could list the dissectors (groups of) you want!

mtis88 ( 2018-07-27 22:24:41 +0000 )

Could you do this by creating a configuration profile including only the desired dissections and specifying that profile to tshark with the -C option?

wesmorgan1 ( 2018-07-30 23:30:32 +0000 )

I’m looking to reduce the size of the install. But I will look at this to see if it reduces the load at runtime.

mtis88 ( 2018-08-02 20:57:44 +0000 )

Is there any advantage to using a configuration profile which only allows the dissectors required for the capture filter to function? Would it improve performance?

mtis88 ( 2018-08-05 07:44:53 +0000 )

Asked: 2018-07-27 17:30:22 +0000

Last updated: Jul 27