Wireshark-bugs: [Wireshark-bugs] [Bug 5241] Cannot run tshark under tcp using decode-as format f
Date: Tue, 21 Sep 2010 08:30:07 -0700 (PDT)
https://bugs.wireshark.org/bugzilla/show_bug.cgi?id=5241

--- Comment #2 from Michael <mworsham@xxxxxxxxxx> 2010-09-21 08:30:06 PDT ---
(In reply to comment #1)
> What RFC is syslog-ng over TCP? I can only find RFC 5425 talking about
> syslog-tls.
> Do you have a sample capture to work with?

If you attempt to do "tshark -V -d tcp.port==514,syslog", the tshark responds
with a listing of valid protocols for the layer type "tcp.port" and syslog
isn't one of them.

Dump file is available here: http://www.murpe.com/syslog-ng.tshark-dump.txt

To me the message appears to be proper RFC 3164 BSD syslog format which should
work OK. http://www.ietf.org/rfc/rfc3164.txt

Syslog message: USER.NOTICE: Sep 20 22:19:30 drupal root: daemon\n
    0000 1... = Facility: USER - random user-level messages (1)
    .... .101 = Level: NOTICE - normal but significant condition (5)
    Message: Sep 20 22:19:30 drupal root: daemon\n

-- 
Configure bugmail: https://bugs.wireshark.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.