Layer 3 Protocol only in wireshark

Question

I have a simple question:

is there any way in wireshark to avoid resolution of protocol besides the protocol of layer 3 ?

For example, in the column protocol, instead of showing http, I want it to show TCP or it's value (6).

I can see in menu analyse / enabled protocols we can disable one by one, but for very big traces with lots of differente protocols like "eDonkey" "QUAKE" etc, it's costs a lot of time...

score 3 · Answer 1 · answered Nov 07 '12 at 17:00

In the latest wireshark (1.8 or so) at least, after opening the "Enabled Protocols..." dialog, you can just click on "Disable All" and then enable only the few protocols that you need. Mostly this will be:

SLL - Linux cooked-mode capture - so you can read the file
IPv4 (or IPv6) - your layer 2 protocols
TCP, UDP, ARP - your layer 3 protocols

Clicking on about six checkboxes is not too bad, is it?

score 0 · Answer 2 · answered Nov 07 '12 at 17:01

0

In Preferences → Protocols → TCP you can disable Allow subdissector to reassemble TCP streams, which should achieve what you want.

Or, in Enabled Protocols, you can disable TCP itself, and you will be presented with raw IP packets :)

answered Nov 07 '12 at 17:01

zhenech

1,502

score 0 · Answer 3 · answered Nov 07 '12 at 18:40

0

I discovered that there is a configuration file called disabled_protos, where you can just put the protocols you do not want wireshark to resolve or vice-versa.

Thanks for your help guys.

answered Nov 07 '12 at 18:40

javardo

31

Layer 3 Protocol only in wireshark

3 Answers3