Disable Protocols in Tshark

Introduction

In this lab, you will learn how to control protocol analysis in Wireshark's command-line tool tshark by selectively disabling and enabling protocols. You'll practice reading packet captures with -r, excluding UDP traffic using --disable-protocol udp, and verifying results with verbose output (-V).

The exercises provide hands-on experience with protocol filtering, output comparison, and display control. You'll work with a sample capture.pcap file while learning essential tshark commands in a structured lab environment.

Skills Graph

%%%%{init: {'theme':'neutral'}}%%%% flowchart RL wireshark(("Wireshark")) -.-> wireshark/WiresharkGroup(["Wireshark"]) wireshark/WiresharkGroup -.-> wireshark/display_filters("Display Filters") wireshark/WiresharkGroup -.-> wireshark/protocol_dissection("Protocol Dissection") wireshark/WiresharkGroup -.-> wireshark/packet_analysis("Packet Analysis") wireshark/WiresharkGroup -.-> wireshark/commandline_usage("Command Line Usage") subgraph Lab Skills wireshark/display_filters -.-> lab-548922{{"Disable Protocols in Tshark"}} wireshark/protocol_dissection -.-> lab-548922{{"Disable Protocols in Tshark"}} wireshark/packet_analysis -.-> lab-548922{{"Disable Protocols in Tshark"}} wireshark/commandline_usage -.-> lab-548922{{"Disable Protocols in Tshark"}} end

Read File with -r capture.pcap

In this step, you will learn how to read a packet capture file using Wireshark's command-line tool tshark with the -r option. This is the first step in analyzing network traffic from a pre-recorded capture file. The -r flag tells tshark to read packets from a file rather than capturing live network traffic.

First, ensure you're in the correct working directory where the packet capture file is stored. This is important because tshark needs to know where to find the file:
```
cd ~/project
```
The lab environment provides a sample packet capture file named capture.pcap. Let's verify its existence and check its properties before we proceed. The ls -l command shows detailed file information including size and permissions:
```
ls -l capture.pcap
```
You should see output similar to:
```
-rw-r--r-- 1 labex labex 12345 Jan 1 00:00 capture.pcap
```
Now we'll read the capture file with tshark. The basic command simply displays a summary of each packet including timestamp, source/destination addresses, and protocol:
```
tshark -r capture.pcap
```
For deeper analysis, we can use the -V flag to see verbose output. This shows all protocol details and packet contents in a hierarchical format, which is useful when you need to examine specific protocol fields:
```
tshark -r capture.pcap -V
```
When working with large capture files, you might want to limit the output. The -c option lets you specify how many packets to display. Here we're showing just the first 5 packets:
```
tshark -r capture.pcap -c 5
```

Disable UDP with --disable-protocol udp

In this step, you will learn how to filter out UDP (User Datagram Protocol) traffic when analyzing packet captures using Wireshark's command-line tool tshark. UDP is a common transport layer protocol, but sometimes you may want to exclude it to focus on analyzing other protocols like TCP. The --disable-protocol option allows you to completely ignore UDP packets during analysis.

First, ensure you're still in the correct working directory where your packet capture file is located. This ensures all commands will work with the correct file:
```
cd ~/project
```
To disable UDP protocol analysis while reading the capture file, use the --disable-protocol option followed by the protocol name. This tells tshark to skip processing any packets using UDP:
```
tshark -r capture.pcap --disable-protocol udp
```
Let's compare this filtered output with the original unfiltered output from step 1. The head -n 10 command shows just the first 10 lines of output for easier comparison:
```
tshark -r capture.pcap --disable-protocol udp | head -n 10
```
You should notice UDP packets are now missing from the output.
To properly verify that UDP packets are being excluded, we can count them before and after applying the filter. The first command counts all UDP packets in the original file, while the second should return 0 since we've disabled UDP processing:
```
## Count all UDP packets in original capture
tshark -r capture.pcap -Y "udp" | wc -l

## Count UDP packets after disabling protocol (should be 0)
tshark -r capture.pcap --disable-protocol udp -Y "udp" | wc -l
```
You can combine protocol disabling with other display filters. This example shows only TCP traffic while completely ignoring all UDP packets at the processing level:
```
tshark -r capture.pcap --disable-protocol udp -Y "tcp"
```
Remember that --disable-protocol works differently from display filters (-Y) - it prevents tshark from even processing the protocol, rather than just hiding it from view.

Verify Exclusion with -V

In this step, we'll verify that Tshark is correctly excluding UDP packets from analysis. The verbose (-V) flag allows us to see detailed packet information, which helps confirm whether our --disable-protocol udp setting is working properly. This is important because network analysis often requires focusing on specific protocols while ignoring others.

First, ensure you're in the correct working directory where your packet capture file is located:
```
cd ~/project
```
Now run tshark with both the disable protocol and verbose flags. The head -n 30 command shows only the first 30 lines of output, making it easier to review:
```
tshark -r capture.pcap --disable-protocol udp -V | head -n 30
```
Examine the output carefully. You should see detailed protocol information for packets, but no UDP-related content should appear.
To specifically check for UDP protocol absence, we'll use grep to search for "UDP" in the output. The wc -l command counts matching lines:
```
tshark -r capture.pcap --disable-protocol udp -V | grep -i "udp" | wc -l
```
A count of zero confirms that Tshark isn't processing any UDP packets. If you see any number greater than zero, the exclusion isn't working correctly.
For comparison, let's see what normal verbose output looks like without protocol disabling:
```
tshark -r capture.pcap -V | grep -i "udp" | head -n 5
```
This command may show UDP packets if they exist in your capture file. The difference between this output and the previous command's output demonstrates the effect of --disable-protocol udp.
Finally, let's examine just one packet in detail to verify protocol exclusion at the packet level:
```
tshark -r capture.pcap --disable-protocol udp -V -c 1
```
The -c 1 option limits output to just one packet. Check the protocol layers in this packet's output - you should see no mention of UDP in the protocol hierarchy.

Re-enable with --enable-protocol udp

In this step, you'll learn how to restore UDP protocol analysis in tshark after disabling it. This is important when you need to analyze all network traffic again, including UDP packets which are commonly used for DNS, video streaming, and other real-time applications.

First, ensure you're in the correct working directory where your packet capture file is stored:
```
cd ~/project
```
This command navigates to the project directory where we'll be working with our packet capture file (capture.pcap).
To reactivate UDP protocol analysis, use the --enable-protocol option followed by the protocol name:
```
tshark -r capture.pcap --enable-protocol udp
```
This tells tshark to process UDP packets again when reading the capture file.
Let's verify UDP packets are now being processed by counting them:
```
tshark -r capture.pcap --enable-protocol udp -Y "udp" | wc -l
```
The -Y "udp" filter shows only UDP packets, and wc -l counts them. You should now see UDP packets if they exist in your capture.

To clearly see the difference, compare outputs with UDP enabled versus disabled:

## With UDP enabled (should display UDP packets)
tshark -r capture.pcap --enable-protocol udp -Y "udp" | head -n 5

## With UDP disabled (should show empty output)
tshark -r capture.pcap --disable-protocol udp -Y "udp" | head -n 5

The head -n 5 shows just the first 5 lines of output for quick comparison.

For thorough verification, check that UDP protocol details appear in verbose output:
```
tshark -r capture.pcap --enable-protocol udp -V | grep -i "User Datagram Protocol" | head -n 3
```
The -V shows detailed packet information, and we're filtering for UDP protocol headers to confirm they're being processed again.

Summary

In this lab, you have learned how to use tshark for protocol analysis by working with a sample packet capture file. You practiced basic commands like -r for file reading and -V for detailed output, which form the foundation of packet analysis in tshark.

The lab also guided you through protocol filtering techniques, specifically disabling UDP traffic using --disable-protocol udp. By comparing filtered and unfiltered outputs, you observed how to effectively isolate specific protocol traffic during analysis.