First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

How to enable the analyze protocol with editing config file

  • retag add tags

I would like to enable the analyze protocol mac-nr for tshark. I know usually we can edit it through wireshark GUI (Analyze->Enabled Protocols), but my env can't bring up the wireshark GUI, and we only need to use the tshark.

Have tried to add the mac-nr into the personal config file : ~/.config/wireshark/enabled_protos, but seems it can't take effect.

Which file should I modify to enable the protocols?

Thanks!

lhe's avatar
1
lhe
asked 2021-07-21 01:51:55 +0000
edit flag offensive 0 remove flag close merge delete

Comments

And is there any method/cmd which can list all the enabled protocols? (without using GUI). Thanks.

lhe's avatar lhe (2021-07-21 01:54:36 +0000) edit
more
  • delete

To make tshark use a personal config file, pass in the config name with the -C option.

grahamb's avatar grahamb (2021-07-21 08:51:48 +0000) edit
more
  • delete

Hi, The protocol sholuld be enabled by default but I think it's on of the decoders tha needs information on the channel configuration Looking atthe code there seems to be preferences that can be filled in. Not sure how to do that with tshark.

Anders's avatar Anders (2021-07-21 10:28:00 +0000) edit
more
  • delete

Thanks all for the comments. I edited the config file under the default personal config file path of the wireshark which doens't help. If I add the full path and filename (~/.config/wireshark/enabled_protos) after '-C', it always report profile does not exist. :( mac-nr is disabled by default since not lots of people need it. Thanks

lhe's avatar lhe (2021-07-21 14:13:45 +0000) edit
more
  • delete

Passing the profile name works for me (in Windows). I have created a new profile first though.

grahamb's avatar grahamb (2021-07-21 14:41:03 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

0

The tshark option to enable a protocol is --enable-protocol, e.g.

--enable-protocol mac-nr

The tshark option to list all the dissectors is -G dissector-tables. I would use ">" to redirect the output to a file because the list is long.

BigFatCat's avatar
31
BigFatCat
answered 2021-07-21 07:56:38 +0000
grahamb's avatar
23.8k
grahamb
updated 2021-07-21 08:50:13 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Thank you for your answer. I've tried the --enable-protocol, but it can't work for me. For the " -G dissector-tables" output, seems I can't see all the enabled dissectors in the output. (for example, the protocol AAF is enabled by default, but I can't find in the output :( )

I also tried "-G protocols", the output listed much more, also see the mac-nr. I think it lists all the supported protocols but not only enabled one. thanks.

lhe's avatar lhe (2021-07-21 14:43:50 +0000) edit
more
  • delete

proto_mac_nr is registered as a heuristic (packet-mac-nr.c):

    /* Add as a heuristic UDP dissector */
    heur_dissector_add("udp", dissect_mac_nr_heur, "MAC-NR over UDP", "mac_nr_udp", proto_mac_nr, HEURISTIC_DISABLE);


Try with the tshark --enable-heuristic <short_name> option.

You might want to test in Wireshark with a known good capture to see what preferences may need to be set. (using the tshark option -o)

~$ tshark -G heuristic-decodes | grep -i mac
udp     mac-nr  F
udp     mac-lte F
Chuckc's avatar Chuckc (2021-07-21 15:08:58 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer