Home page logo

wireshark logo Wireshark mailing list archives

Re: Wireshark-users Digest, Vol 94, Issue 10
From: Mathias Koerber <mathias () koerber org>
Date: Mon, 24 Mar 2014 09:21:14 +0800

I'm trying to have tshark decode a number of packets I got from an
strace(1) output (params of write, read, recvfrom etc).
Thus they are not including any layers below UDP..

I am using Perl's String::Unescape and Data::Hexdumper to
convert them to a format similar to what od(1) would output, then
   text2pcap -q -i 6 -u 10000,53
(as an example for a DNS packet) to make pcap input file
and then
   tshark -l -V -N t -r filename </dev/null >filename2 2>&1
to have tshark decode them.

However, that also decodes the dummy lower layers I had
text2pcap add to get a full packet.

1. Is there a way to not have to have text2cap add those
   dummy layers (ie, can I tell tshark that all it will find
   in the pcap file is UDP packet)?

If not:

2. Is there a way to have tshark only decode the UDP part
   and print it in -V detail?  I don't  need the full dummy

Sent via:    Wireshark-users mailing list <wireshark-users () wireshark org>
Archives:    http://www.wireshark.org/lists/wireshark-users
Unsubscribe: https://wireshark.org/mailman/options/wireshark-users
             mailto:wireshark-users-request () wireshark org?subject=unsubscribe

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]