Re: How to access the payload of a protocol in tshark

[Christopher Maynard <Christopher.Maynard () gtech com>]

Joerg Mayer <jmayer@...> writes:

> I'm looking for a way to access the payload of a protocol in tshark and
> haven't found one.

I was recently trying to do something similar for one of our older protocols
that nobody had yet written a dissector for, but I was unable to come up with a
solution.  For me, it would have been good enough if something like "-e
data.data[n:m]" or "-e frame[n:m]" worked, but unfortunately neither of them do.

I ended up having to write a basic enough dissector to get at least some of the
data of interest out of it quickly.

> What I'd like to use with the -e option is something like "<protocol>.payload"
> for protocols that have a payload that is not dissected via the protocol
dissector.
> This element could be a hidden field.
> The output could be either text, hex or raw(binary), depending on a -E 
> parameter (or maybe a new option), see the -z follow feature.
>
> Is this already possible and I just missed it?

I am unaware of such a feature ... but maybe I missed it too.

> If not, does this feature sound reasonable?

Yes! +1

- Chris


___________________________________________________________________________
Sent via:    Wireshark-dev mailing list <wireshark-dev () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-dev
Unsubscribe: https://wireshark.org/mailman/options/wireshark-dev
             mailto:wireshark-dev-request () wireshark org?subject=unsubscribe