3

I have a simple question:

is there any way in wireshark to avoid resolution of protocol besides the protocol of layer 3 ?

For example, in the column protocol, instead of showing http, I want it to show TCP or it's value (6).

I can see in menu analyse / enabled protocols we can disable one by one, but for very big traces with lots of differente protocols like "eDonkey" "QUAKE" etc, it's costs a lot of time...

javardo
  • 31
  • 1
  • 2

3 Answers3

3

In the latest wireshark (1.8 or so) at least, after opening the "Enabled Protocols..." dialog, you can just click on "Disable All" and then enable only the few protocols that you need. Mostly this will be:

  • SLL - Linux cooked-mode capture - so you can read the file
  • IPv4 (or IPv6) - your layer 2 protocols
  • TCP, UDP, ARP - your layer 3 protocols

Clicking on about six checkboxes is not too bad, is it?

chutz
  • 7,569
  • 1
  • 28
  • 57
  • SLL assumes you're running on Linux and that you're using the "any" interface. You'd probably want to enable the interface type(s) in use, e.g. Ethernet or IEEE 802.11. `Statistics→Protocol Hierarchy` will show you lower-layer protocols that need to be enabled for a particular capture file. – Gerald Combs Nov 07 '12 at 17:30
  • well...the ideal situation would be to enable all from this list: http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xml – javardo Nov 07 '12 at 17:36
0

In Preferences → Protocols → TCP you can disable Allow subdissector to reassemble TCP streams, which should achieve what you want.

Or, in Enabled Protocols, you can disable TCP itself, and you will be presented with raw IP packets :)

zhenech
  • 1,492
  • 9
  • 13
  • I cannot find that option, not even the menu "Preferences", Im using the latest version of wireshark for mac – javardo Nov 07 '12 at 17:33
0

I discovered that there is a configuration file called disabled_protos, where you can just put the protocols you do not want wireshark to resolve or vice-versa.

Thanks for your help guys.

javardo
  • 31
  • 1
  • 2