'Re: [Wireshark-users] Strip off protocol layers'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       wireshark-users
Subject:    Re: [Wireshark-users] Strip off protocol layers
From:       sean bzd <seanbzd () gmail ! com>
Date:       2012-02-07 19:32:06
Message-ID: CAHLZz_qgmzkn7b_sbPiav7fbdVSp18sC7rJ500shkRRuuDO7fQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Thank you so much. Thats exactly what i needed. I earlier went through the
documentation for tshark but missed that option.

On Tue, Feb 7, 2012 at 1:30 PM, j.snelders <j.snelders@telfort.nl> wrote:

> Hi Sean,
>
> You can use the option -O
>
> $ tshark -h
> -O protocols: Only show packet details of these protocols, comma separated
>
> $ tshark -r Clmt_04.pcap -O http -V > clmt_04a.txt
> $ tshark -r Clmt_04.pcap -O tcp,http -V > clmt_04b.txt
>
> BTW
> I'm running TShark 1.6.5
>
> Best regards
> Joke
>
>
> On Tue, 7 Feb 2012 12:45:49 -0500 sean wrote:
> >Hi,
> >I'm using tshark to convert .pcap to .txt format using the -r option and
> >redirecting the output to a file. eg. tshark -r file.pcap -V>file.txt
> >The problem is that the size of the txt file is about 30x larger than the
> >pcap since I'm using the -V(erbose) option. I'm wondering if there is a
> way
> >to strip off some of the protocol headers that I'm not interested in. e.g.
> >I want to strip off the 'Frame', 'Ethernet' and 'IP' protocol layers
> before
> >redirecting the output to a txt. Is that possible? Another idea is to
> >selectively expand (Verbose) only the protocols i'm interested in. Is any
> >of this possible. If yes, i'd appreciate some advice. Thanks a lot.
> >Sean.
>
>
>
>
>
> ___________________________________________________________________________
> Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
> Archives:    http://www.wireshark.org/lists/wireshark-users
> Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
>             mailto:wireshark-users-request@wireshark.org
> ?subject=unsubscribe
>

[Attachment #5 (text/html)]

Thank you so much. Thats exactly what i needed. I earlier went through the \
documentation for tshark but missed that option.<br><br><div class="gmail_quote">On \
Tue, Feb 7, 2012 at 1:30 PM, j.snelders <span dir="ltr">&lt;<a \
href="mailto:j.snelders@telfort.nl">j.snelders@telfort.nl</a>&gt;</span> wrote:<br> \
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex">Hi Sean,<br> <br>
You can use the option -O<br>
<br>
$ tshark -h<br>
-O protocols: Only show packet details of these protocols, comma separated<br>
<br>
$ tshark -r Clmt_04.pcap -O http -V &gt; clmt_04a.txt<br>
$ tshark -r Clmt_04.pcap -O tcp,http -V &gt; clmt_04b.txt<br>
<br>
BTW<br>
I&#39;m running TShark 1.6.5<br>
<br>
Best regards<br>
Joke<br>
<div><div class="h5"><br>
<br>
On Tue, 7 Feb 2012 12:45:49 -0500 sean wrote:<br>
&gt;Hi,<br>
&gt;I&#39;m using tshark to convert .pcap to .txt format using the -r option and<br>
&gt;redirecting the output to a file. eg. tshark -r file.pcap -V&gt;file.txt<br>
&gt;The problem is that the size of the txt file is about 30x larger than the<br>
&gt;pcap since I&#39;m using the -V(erbose) option. I&#39;m wondering if there is \
a<br> way<br>
&gt;to strip off some of the protocol headers that I&#39;m not interested in. \
e.g.<br> &gt;I want to strip off the &#39;Frame&#39;, &#39;Ethernet&#39; and \
&#39;IP&#39; protocol layers before<br> &gt;redirecting the output to a txt. Is that \
possible? Another idea is to<br> &gt;selectively expand (Verbose) only the protocols \
i&#39;m interested in. Is any<br> &gt;of this possible. If yes, i&#39;d appreciate \
some advice. Thanks a lot.<br> &gt;Sean.<br>
<br>
<br>
<br>
<br>
<br>
</div></div>___________________________________________________________________________<br>
 Sent via:    Wireshark-users mailing list &lt;<a \
                href="mailto:wireshark-users@wireshark.org">wireshark-users@wireshark.org</a>&gt;<br>
                
Archives:    <a href="http://www.wireshark.org/lists/wireshark-users" \
                target="_blank">http://www.wireshark.org/lists/wireshark-users</a><br>
                
Unsubscribe: <a href="https://wireshark.org/mailman/options/wireshark-users" \
                target="_blank">https://wireshark.org/mailman/options/wireshark-users</a><br>
                
             mailto:<a \
href="mailto:wireshark-users-request@wireshark.org">wireshark-users-request@wireshark.org</a>?subject=unsubscribe<br>
 </blockquote></div><br>



___________________________________________________________________________
Sent via:    Wireshark-users mailing list <wireshark-users@wireshark.org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request@wireshark.org?subject=unsubscribe

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic