I'm using the command tshark to have a txt file with a dump of some packets. It works but I've got a problem. I've got UDP packets with proprietary protocol and in some cases wireshark decodes them as wrong protocol and I can see them as malformed packets. Actually they aren't malformed because of the proprietary protocol. When I dump the packets I can see only the packets not recognized by wireshark and empty data for "malformed packets". Is there a way to say "not decode as" in tshark? I found only the option -d to say "decode as" but not "not decode as". asked 05 Jul '13, 08:12  Marco |
One Answer:
If you're just looking to disable protocol decoding in tshark, this was answered in the below thread by SYN-bit previously: http://ask.wireshark.org/questions/9544/how-to-disable-dissectors-in-tshark Basically just add the protocol to the disabled_protocols file in a profile, and use -C to specify that profile to use by tshark. answered 05 Jul '13, 09:10  Quadratic |
