Reputation: 1267
how to extract data from pcap file
I have a few pcap files, I can see the memcache protocol in wireshark and its corresponding data, but when I use tshark to batch export data, it only shows one character(0x0b), why?
the command I use: tshark -Y "memcache contains set" -r input.pcap -T fields -e memcache.value Thank you! BTW, memcache key works fine. And I can't share the files here as they are confidential.
Upvotes: 2
Views: 5235
Answers (1)
Reputation: 991
Works for me:
$tshark -r 3006-example.cap -Y "memcache.command==set" -T fields -e memcache.value
hello, world!
noreplyset
Test file: that attached to Wireshark bug 3467
I do note that 0x0b is not a printable ascii character. The memcache dissector assumes that the 'value' is an ascii string.
If you look at the 'value' field in the appropriate packet in your capture file, is it an ascii string ?
edit: looking at the memcache protocol spec, it appears that the 'value' field should be treated as "unstructured data" and not as an ascii string. Please feel free to file a bug report at bugs.wireshark.org
Upvotes: 3
Related Questions
- How do I extract all the features from a pcap file using Wireshark?
- Extract TCP payload from pcap file
- How to convert raw packet data into a PCAP file?
- Extracting PCAP using Tshark
- How to use libpcap to parse pcap file.
- Find data transfered by wireshark on pcap file
- Parsing a .pcap file in plain C
- How to extract full set of features from an existing pcap file using tshark or any other tool?
- How to restore data from a pcap file?
- Getting particular information out of pcap files