Reputation: 512
tshark: capture specific bytes from a packet data (content)
I have a captured trace (.pcap) file and I want to read the data field of each captured packet in this trace. I can do this using this command:
tshark -r aa.pcap -Tfields -Y "udp" -e data
3000ca02f89f0004000115af0000017900.......
This command reads all the content in the data field of each packet. My question is that how can I read specific bytes from the data (e.g. the 5th and 6th bytes only)
f89f
Upvotes: 0
Views: 2192
Answers (1)
Reputation: 6254
If you have cut available on your system, you could pipe the tshark output to it to isolate the characters you desire. For example:
tshark -r aa.pcap -Tfields -Y "udp" -e data | cut -c 9-12
You can even test this as follows:
echo 3000ca02f89f0004000115af0000017900 | cut -c 9-12
f89f
EDIT: I adjusted the offsets from 10-13 to 9-12, as that seems to be the correct offsets. If you quote the characters in the echo command, then you need 10-13, but those aren't the right offsets you need for the tshark output.
Upvotes: 1
Related Questions
- tshark.exe: capture traffic without content, only headers of packets
- How to separate data from different files in a single TCP packet?
- Extract specific byte offset using tshark
- Export raw packet bytes in tshark, tcpdump, or similar?
- send packetdata from tshark to wireshark
- How to extract raw data from TCP packets using Wireshark
- How to capture only TCP traffic with tshark
- Wireshark Packets 'Data' Format
- How can i limit the packet size when i am capturing with Tshark using command line
- Capturing Data from Tshark