This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Here's the problem:

I have some network traffic pcap files. I need the raw data layer packets from these files, which I can get (in one file) by right-clicking the 'data' layer, and 'Export selected packet bytes...', but I then have to combine these raw files for all packets in the capture.

I can print just the data, in ASCII format, using tshark:

tshark -r infile -T fields -e data
But, when I try to do the same thing for the raw data:
tshark -r infile -T fields -e data -w outfile.raw
I'm not sure that outfile.raw is what I want. A file that I've converted manually can't be opened in Wireshark, as it can't understand the format. The one generated using the above command (outfile.raw) can be, so I'm assuming it's still outputting the headers.

Is there any way to either convert the hex/ascii back to raw packet data, or to output JUST the data payload in raw format?

I have many files to convert in this fashion, and being able to script the process would greatly speed things up...

asked 30 Oct '12, 09:19

shearn89's gravatar image

shearn89
31126
accept rate: 100%

1

If you have the output of the raw data in ASCII, you can always convert that to a binary file with a script !??!

So, what are you going to do with the raw data what you can't do with the ASCII representation of that data?

(30 Oct '12, 09:54) Kurt Knochner ♦

Ah, I hadn't thought of that! That might be a good simple solution to my problem. I need to netcat the data into a network socket that my program listens on, and it's expecting raw data, not ASCII...

(31 Oct '12, 02:12) shearn89

To answer my question for future googlers: I used @Kurt's suggestion, and converted the ascii to binary.

I had to remove the newlines that tshark adds in between the packets, so:

tshark -r infile -T fields -e data | tr -d '\n' > tempfile

I then used the following short python script to convert from tempfile to binary: import binascii import sys string = open(sys.argv[1],'r').read() sys.stdout.write(binascii.unhexlify(string)) # needs to be stdout.write to avoid trailing newline

You can then redirect the output of the python script to a file, and you get exactly what I need.

Also, it turns out this is equivalent to "follow tcp stream" in the Wireshark gui, and exporting the data as raw. EDIT: the reason 'follow tcp stream' wouldn't have worked in this situation is that I had two streams I needed in one file, in the order they were sent.

permanent link

answered 31 Oct '12, 03:15

shearn89's gravatar image

shearn89
31126
accept rate: 100%

edited 15 Jan '13, 15:08

Do any of you know how to do this using the Windows command line?

(18 Jun '15, 06:40) dippy

I think -w forces tshark to write the packets out again in pcap format, which you can easily verify by running the capinfos tool, e.g. "capinfos outfile.raw". It will tell you what File Type it is.

Maybe you can try to redirect the console output into a file by using the ">" operator. I haven't tried it, but maybe something like this works (or gives you an idea):

tshark -r infile -T fields -e data >outfile.raw
permanent link

answered 30 Oct '12, 09:39

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

That produces an ASCII file, which is what I'm trying to avoid. Cheers for the idea though!

(31 Oct '12, 02:14) shearn89
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×122
×58
×22
×20

question asked: 30 Oct '12, 09:19

question was seen: 59,531 times

last updated: 18 Jun '15, 07:20

p​o​w​e​r​e​d by O​S​Q​A