Extract specific byte offset using tshark

Question

I have a pcap of ICMP packets. I am trying to use tshark to extract the payload data so that I can extract a specific byte offset.

The tshark documentation is highly convoluted, especially for me, a beginner.

I've been searching around a lot and I'm trying to piece together a command for the purpose of my goal.

I can run the following command:

shark -r test.pcapng -Y icmp -z flow,icmp,network > output.bin

But it only outputs the packet list as it were shown in Wireshark.

For example, I am trying to extract the following byte offset from each packet (offset 22):

How would I go about extracting a specific byte offset with tshark?

EDIT:

Issuing the following command only returns a portion of the payload data, how can I get all of it?

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e data -w output.bin

Answer 1

I've provided an answer over at https://ask.wireshark.org/question/14795/extract-specific-byte-offset-using-tshark/, but for convenience, I'll summarize the 2 possible solutions I provided here. In a nutshell:

1. The highlighted byte in the image appears to be the TTL field of the IP header. If that's the field you're interested in, you can obtain it via:

   tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin
   

2. If you're looking for a more general solution to print the 22nd byte of the packet, regardless of whether it's the ip.ttl field or not, then you can use a solution such as:

   tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin | grep "^0010" | cut -d ' ' -f 9
   

The 2nd solution above also illustrates how you can dump all the bytes; it's done using tshark's -x option.