This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi

Can anybody help to decapsulate only the data or payload from all other network related data, so I on a easy way, can find data transmitted from one ip address.

I have a system transmitting data, and need to extract data for display on another system

I have recorded a wireshark-file, but I need help to get Tshark or Wireshark to insulate or extract 'data only'.

Per

asked 06 Sep '12, 02:02

Great%20Dane's gravatar image

Great Dane
1111
accept rate: 0%


There are a number of ways to do this. One way to do this would be to open the file using Wireshark, and then right click on one of the packets of interest and choose "Follow TCP stream" or "Follow UDP stream" from the popup menu. Another way to do something like that would be to use Tshark to dump just the tcp.data or udp.data. For example, you could use a command line like this:

tshark -r sample1.pcap -R 'tcp && ip.addr==192.168.0.141' -Tfields -etcp.data
which would dump all tcp.data as hex strings.

permanent link

answered 08 Sep '12, 07:28

eberoset's gravatar image

eberoset
161
accept rate: 0%

Thanks.

I can add how to transfer payload data to a binary file:

tshark -V -r e:\wwireshark1.pcapng -R ip.src==192.1.1.200 -w e:\raw.bin

Great Dane

(27 Sep '12, 03:55) Great Dane

"Another way to do something like that would be to use Tshark to dump just the tcp.data or udp.data."

I found neither of these filters worked, although I did find tcp.sequence_data did. No equivalent for UDP apparently.

"... -w e:\raw.bin" Doesn't this write the whole packet, headers and all?

(08 Oct '13, 06:56) wiggers
1

The field was renamed from tcp.data to tcp.segment_data in Wireshark version 1.10 and higher. Also note that that filter only works when the data isn't being dissected by some other dissector. So the way to get just that part data is a bit counterintuitive. Here's how to do it, using http traffic as an example:

  1. start Wireshark and open the dialog Analyze->Enabled Protocols...
  2. choose the protocol or protocols you're interested in extracting (e.g. http) and disable them (no, that's not a typo!)
  3. save that setting and exit Wireshark
  4. run tshark as tshark -r mydata.pcap -Tfields -edata
  5. you might wish to go back into Wireshark and re-enable the protocol(s)

What you'll get is hex dumps of only the undecoded data (which is why you disabled them). Note that this works with both TCP and UDP without change. For further details on disabling protocols, see this question and answer.

(08 Oct '13, 11:36) beroset

Would love to know something I can pipe these hexdumps through to get an ASCII translation. I've tried xxd -r, but the decode gets garbled part way through. thshark / Wireshark decode them just fine

(06 Mar '15, 05:09) rosensama
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×122
×58
×4
×3

question asked: 06 Sep '12, 02:02

question was seen: 11,376 times

last updated: 06 Mar '15, 05:09

p​o​w​e​r​e​d by O​S​Q​A