This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark command to write payload to a file

0

Hi, Can some tell me what are the arguments that we need to pass to tshark command to capture all the request and response(http xml) messages and write them to a file in txt format? I am aware of -W option, but the issue is that the file data is not readable; it can only be readable by a tool like wireshark. My plan is to read the payload messages from a java code after getting the data into a file by using tshark command.

asked 28 May '12, 02:19

vikram's gravatar image

vikram
417813
accept rate: 0%

edited 28 May '12, 07:39

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142

Hi, I am able to use the below command and able to see the payload...

tshark -r test2.log -R "http" -V

(I used tshark -i eth1 -d tcp.port=8101,http -w test2.log for capturing the traffic)

The problem now is along with the payload I see a lot of additional frame network related data. Can someone tell me any filter expression that I can use so that I will get only payload (http req/resp messages) or at least with minimal network related data?

(28 May '12, 06:23) vikram

From the tshark manual page:

NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using '>'), don't use the -w option for this.

(28 May '12, 06:28) Jaap ♦

One Answer:

1

From the tshark manual page:

-T pdml|psml|ps|text|fields

pdml Packet Details Markup Language, an XML-based format for the details of a decoded packet. This information is equivalent to the packet details printed with the -V flag.

answered 28 May '12, 06:31

Jaap's gravatar image

Jaap ♦
11.7k16101
accept rate: 14%

Hi Jaap, Thanks a lot for your reply.I am intrested in reading only the actaul messge that is being sent(in my case it is a xml)..is there any way to filter out maxium data that is being captured and get only the payload.When i use the -T pdml even the frames related network information is also coming in the from of xml and the file is becoming too huge.

(29 May '12, 00:24) vikram

tshark -i eth1 -R http -V > test2.txt when i use the above command,the data is coming in txt format..how ever some times the payload messge is only coming as hexadecimal format..is there any filter option to get the payload data as simple text

(30 May '12, 02:07) vikram