On Thu, May 03, 2007 at 05:29:24PM -0400, Kerry L Foster wrote:
Is it possible to control what information is being saved by tshark
into the output capture file?
The only way that I know of is the -s snapshot len option, which
specifies how many bytes of each packet to read/save. This could be
used in your case as long as all of the packets had the exact same
length for the lower level protocols (ethernet, ip, udp, etc.)
I assume tshark does not support this capability which leads me to the
next question. If I (or someone else) were to implement this
capability (to contribute back), where would the best place be to add
it? Could I add it as a preference within the RTP dissector (something
like '-o rtp.clear_payload:TRUE')? Then from the RTP dissector, just
manipulate the tvb-real_data buffer or tvb-length based upon the
preference setting (it could simply zero out RTP payload, or maybe
even modify the UDP/RTP lengths, etc.). It looks like dissect_packet()
passes a pointer to the original packet data and not to a copied
buffer, so it looks feasible.
That is probably the best place to put this sort of feature.
Steve
___
Wireshark-users mailing list
Wireshark-users@wireshark.org
http://www.wireshark.org/mailman/listinfo/wireshark-users