Hi,
I want to make decision on packet based on their transport layer protocol (Whether it is TCP or UDP). Now I do it by checking whether the tcp.srcport is set or not. How can I change the protocols layer shown in _ws.col.Protocol to transport layer instead of application layer in the output of the following command?
tshark -r capture.pcap -T fields -E separator=, -e frame.number -e frame.time_epoch -e ip.src -e ip.dst -e frame.len -e _ws.col.Protocol -E header=y -E quote=d -E occurrence=f > capture.csv
According to tshark manpage, It seems that -j or -J option do something similar to what I needed, but I couldn't find such example.
