This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

capturing of line based text data

0

i am trying to filter the line-based text data out of the captured packets using tshark.

tshark -i 3 -R data-text-lines -V

Using the command above would get me a whole data packet, but I would like to extract the line-based text only. Is it possible to obtain only the line based text? Or else any advice for doing that?

asked 21 May '12, 01:38

sharkblue's gravatar image

sharkblue
6113
accept rate: 0%

edited 21 May '12, 02:09

helloworld's gravatar image

helloworld
3.1k42041

2 Answers:

0

Are you only looking for the content of a web page and want to search for patterns within that text? If so, please use this command:

tshark -i 2 -T fields -e text port 80| find "your text"

You can extend the output with IP addresses or any other fields:

tshark -i 2 -T fields -e ip.src -e ip.dst -e text port 80| find "your text"`

Regards
Kurt

answered 21 May '12, 08:58

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 21 May '12, 14:06

helloworld's gravatar image

helloworld
3.1k42041

You can also use the contains operator in your display filter (which removes the dependency on a second command):

tshark -i 3 -R "data-text-lines contains '{your text}' " -e data-text-lines

or matches (for matching with regular expression):

tshark -i 3 -R "data-text-lines matches '{regex}' " -e data-text-lines
(21 May '12, 14:20) helloworld

1

Use the -T fields parameter, and specify data-text-lines as a -e field:

tshark -i 3 -R data-text-lines -T fields -e data-text-lines

answered 21 May '12, 02:14

helloworld's gravatar image

helloworld
3.1k42041
accept rate: 28%

i have used the above cmd , but it only shows

c:\Program Files\Wireshark>tshark -i 2 -R data-text-lines -T fields -e data-text -lines Capturing on Microsoft Line-based text data: application/x-www-form-urlencoded Line-based text data: application/x-javascript Line-based text data: text/html ...

Below is a extract of the script information from line-based text data which i hope i could extract out without the chuck encoding. would it be possible with another filter ?

(21 May '12, 07:09) sharkblue

xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx cc0 4c d3 64 3c 8e 21 0d 84 47 e0 2e 94 46 31 d5 95 L.d<.!..G...F1.. 0cd0 5a 18 48 c1 6d 3e 0d 93 11 c5 6e a2 4f 38 7e 73 Z.H.m>....n.O8~s 0ce0 2c 8b 6d a6 be 61 71 29 c8 93 3a 01 d4 80 47 47 ,.m..aq)..:...GG 0cf0 ba 94 0e 41 3d 02 95 9e 4e b2 d9 38 49 4f 79 96 ...A=...N..8IOy.

(21 May '12, 07:09) sharkblue

............................. [truncated] <meta name="robots" content="noodp, noydir"/><meta name="descri ption" content=" FPeople use Facebook style=" position:absolute;="" top:-1000="" 0px;="" width:0px;="" height:0px;"="">

static.ak.fbcdn.net\/rsrc.php\/v2\/yU\/r\/iyBtuT5z-Pk.css
(21 May '12, 07:09) sharkblue

i would like to capture the specific part using a filter //truncated] <meta name="robots" content="noodp, noydir"/><meta name="descri ption" content=" FPeople use Facebook style=" position:absolute;=""//

(21 May '12, 07:11) sharkblue

c480c480c48012c480c480c480c480614dc3be103d3dc3a2c3a963c3adc295c29538c38ec282c28a337fc2a81fc2883838496e0fc3afc2a60b310e59265d6ac39a61646d696e

(15 May '16, 14:07) Rama15

Any additional information? Or are we supposed to decode what you ask for from that hex string?

(15 May '16, 14:43) sindy
showing 5 of 6 show 1 more comments