http://roberthogan.net/stuff/tn3270-dissector/

Step One
--------
Patch svn wireshark with tn3270-XXXXX.diff. You can do this by:

svn co http://anonsvn.wireshark.org/wireshark/trunk/ wireshark
cd wireshark
patch -p0 < /location/of/tn3270-XXXXX.diff

Step Two
--------
Compile wireshark:

./autogen.sh
./configure
make

Step Three
----------
Run wireshark:
./wireshark

Step Four
---------
You can then dissect the sample dump at:
 http://roberthogan.net/stuff/tn3270-dissector/tn3270sample.pcap.

To dissect a 3270 stream you select 'decode as' and then telnet. The telnet 
dissector will call my 3270 dissector when it recognises a 3270 stream.

The dissector currently relies on the 'terminal type' telnet command issued 
by the client to recognise 3270 streams. The tn3270 terminal types it is 
aware of are anything that begins with IBM-3277, IBM-3278 or IBM 3279, 
i.e.:

  if ((strcmp(terminaltype,"IBM-3279-2-E") == 0) || 
(strcmp(terminaltype,"IBM-3279-2") == 0) ||
      (strcmp(terminaltype,"IBM-3278-2-E") == 0) || 
(strcmp(terminaltype,"IBM-3278-2") == 0) ||
      (strcmp(terminaltype,"IBM-3278-3") == 0) || 
(strcmp(terminaltype,"IBM-3278-4") == 0) ||
      (strcmp(terminaltype,"IBM-3278-5") == 0) || 
(strcmp(terminaltype,"IBM-3277-2") == 0) ||
      (strcmp(terminaltype,"IBM-3279-3") == 0))

It is quite possible that the 3270 streams you're interested in are not 
detected properly by the dissector. If not, please send on a sanitized dump 
to me so that I can try debugging it. The dissector is extremely raw but as 
you should see from the sample dump it does work in the only test case 
available to me at the moment!

Email: robert@roberthogan.net