This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Decapsulation of data

0

Hi

Can anybody help to decapsulate only the data or payload from all other network related data, so I on a easy way, can find data transmitted from one ip address.

I have a system transmitting data, and need to extract data for display on another system

I have recorded a wireshark-file, but I need help to get Tshark or Wireshark to insulate or extract 'data only'.

Per

asked 06 Sep '12, 02:02

Great%20Dane's gravatar image

Great Dane
1111
accept rate: 0%


One Answer:

1

There are a number of ways to do this. One way to do this would be to open the file using Wireshark, and then right click on one of the packets of interest and choose "Follow TCP stream" or "Follow UDP stream" from the popup menu. Another way to do something like that would be to use Tshark to dump just the tcp.data or udp.data. For example, you could use a command line like this:

tshark -r sample1.pcap -R 'tcp && ip.addr==192.168.0.141' -Tfields -etcp.data
which would dump all tcp.data as hex strings.

answered 08 Sep '12, 07:28

eberoset's gravatar image

eberoset
161
accept rate: 0%

Thanks.

I can add how to transfer payload data to a binary file:

tshark -V -r e:\wwireshark1.pcapng -R ip.src==192.1.1.200 -w e:\raw.bin

Great Dane

(27 Sep '12, 03:55) Great Dane

"Another way to do something like that would be to use Tshark to dump just the tcp.data or udp.data."

I found neither of these filters worked, although I did find tcp.sequence_data did. No equivalent for UDP apparently.

"... -w e:\raw.bin" Doesn't this write the whole packet, headers and all?

(08 Oct '13, 06:56) wiggers
1

The field was renamed from tcp.data to tcp.segment_data in Wireshark version 1.10 and higher. Also note that that filter only works when the data isn't being dissected by some other dissector. So the way to get just that part data is a bit counterintuitive. Here's how to do it, using http traffic as an example:

  1. start Wireshark and open the dialog Analyze->Enabled Protocols...
  2. choose the protocol or protocols you're interested in extracting (e.g. http) and disable them (no, that's not a typo!)
  3. save that setting and exit Wireshark
  4. run tshark as tshark -r mydata.pcap -Tfields -edata
  5. you might wish to go back into Wireshark and re-enable the protocol(s)

What you'll get is hex dumps of only the undecoded data (which is why you disabled them). Note that this works with both TCP and UDP without change. For further details on disabling protocols, see this question and answer.

(08 Oct '13, 11:36) beroset

Would love to know something I can pipe these hexdumps through to get an ASCII translation. I've tried xxd -r, but the decode gets garbled part way through. thshark / Wireshark decode them just fine

(06 Mar '15, 05:09) rosensama