This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi all,

I want to export raw hexadecimal values and timestamp of all my selected packets.

Unfortunately exporting as "C arrays" does not shows the timestamp and also includes quite annoying ASCII representation.

Moreover the exported file is not in a format like "one packet per line". All this makes my life quite difficult trying to tokenize strings with sed and tr...

Is there any other option?

In the UDP payload of my packets are contained fields of a simple protocol that I defined for research proposes and I need to analyze those fields together with the time stamp.

I was considering to create a dissector but, since my lack of experience, it turns to be quite complicated and time consuming for my purpose.

To give an example of the output that I'd like to get:

This is what I'd like to have:

2012-11-15,  12:53:32.1432, 0x60, 0x00, 0x00, 0x00, 0x00, 0x2b, 0x11, 0x41, 0x20, 0x01, 0x07, 0x70, 0x01, 0x9e, 0x00, 0x03, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, 0x20, 0x01, 0x07, 0x70, 0x01, 0x9e, 0x00, 0x03

This is what I currently get exporting in "C Arrays"

/* Frame (83 bytes) */
static const unsigned char pkt63[83] = {
0x60, 0x00, 0x00, 0x00, 0x00, 0x2b, 0x11, 0x41, /* `....+.A */
0x20, 0x01, 0x07, 0x70, 0x01, 0x9e, 0x00, 0x03, /*  ..p.... */
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x41, /* .......A */
0x20, 0x01, 0x07, 0x70, 0x01, 0x9e, 0x00, 0x03, /*  ..p.... */
};

Btw, the previous Wireshark version (1.6.11) has a slightly better "C Array" output because it does not show the ASCII part...

Is "hexdump" used there?

Thanks a million

Davide

Any help/comment is much appreciated

Thanks and regards

Davide

This question is marked "community wiki".

asked 15 Nov '12, 06:42

Davide's gravatar image

Davide
5114
accept rate: 0%

edited 15 Nov '12, 07:13


Is there any other option?

This is the closest thing I know that exists today that might help you:

tshark -r somefile.pcap -T fields -e frame.time -e data

Using your example, the output will be something like follows:

Nov 15, 2012 12:53:32.1432 60000000002b114120010770019e00030000000000000b4120010770019e0003

Note: You probably want to qualify the output by specifying a read filter to only match those packets containing your particular protocol, e.g., -R "udp.port eq <your port>" or similar.

permanent link

answered 15 Nov '12, 11:07

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

edited 15 Nov '12, 11:12

Many thanks, your suggestion is very close to the solution. Unfortunately, wireshark interprets most of my packets as RX protocol (bad luck) and the output -e data is empty.

Only few of them are interpreted as raw UDP Is there a way to tell tshark to interpret every packet as raw UDP?

One more thing: I would prefere to extract the whole raw packet and not just the UDP payload (-e data) otherwise I have to include many other fields as IPv6.src dst port ...

Just a raw hex packet with time stamp would be perfec!

Thanks a million

(15 Nov '12, 12:12) Davide

You could try disabling the IPv[4|6] dissectors in Wireshark first, and then run the tshark command. Since those protocols will be disabled, the data "dissector" will include those bytes as part of the output as well. (Wireshark: Analyze -> Enabled Protocols -> deselect the protocols of interest.)

Note that the -R "udp.port eq <your port>" read filter won't work anymore because the UDP dissector will no longer be called, so you may want to pre-filter the capture file, saving only your packets to a separate capture file and then work with that file.

(15 Nov '12, 12:28) cmaynard ♦♦

This works like a charm. I disabled all protocol dissectors and used tshark to print timestamp and raw data as you suggested.

Thanks a million!

(16 Nov '12, 07:53) Davide

Not a direct answer but there are several options for creating a dissector, some are easier (but possibly less flexible) than others:

  • A C based dissector - full access to all functionality, although the API is huge and can be overwhelming at first
  • A Lua based dissector - access to all the functionality offered though the Lua API
  • A Python based dissector - access to all the functionality offered though the Python API (not used much AFAIK)
  • WSGD - A plugin that allows you to define dissection based on text files

Personally I've only done 'C' dissectors so I have no idea if the other options are "easier" in some undefinable way.

permanent link

answered 15 Nov '12, 07:30

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

thank you very much. I'll try WSGD

(15 Nov '12, 12:12) Davide

If you just want the HEX dump of the whole packet (or parts of it), tshark/wireshark is probably not the right tool for you, as you don't need any of its packet dissecting capabilities.

Please try my perl script instead. Save it as dump-packet.pl and then call it like this:

perl dump-packet.pl input.cap

You can choose to print the whole packet, the IP part or just the UDP payload, by setting the variables print_packet or print_ip or print_udp.

The script may not be perfect, but I'm sure you can modify it to your needs ;-)


#!/usr/bin/perl

use warnings;
use strict;
use Net::Pcap;
use NetPacket::Ethernet qw(eth_strip);
use NetPacket::IP qw(:ALL);
use NetPacket::UDP;
use POSIX qw(strftime);

my $pcap_file = $ARGV[0];

my $print_packet = 1;
my $print_ip = 0;
my $print_udp = 0;

my $error;

my $pcap = Net::Pcap::open_offline($pcap_file, \$error) or die("FATAL: cannot open $pcap_file -> ERROR: $error\n");

Net::Pcap::loop($pcap, -1, \&process_packet, '');
Net::Pcap::close($pcap);

sub process_packet {   
    my ($user_data,$header, $packet) = @_;

    #--- get timestamp from packet header
    my $time_stamp =  strftime("%Y-%m-%d, %H:%M:%S",localtime($header->{tv_sec})); 
    $time_stamp .= "." . $header->{tv_usec}; 

    my $hex_string = '';

    if ($print_packet) {
       $hex_string = print_hex($packet);
    }

    my $ip = NetPacket::IP->decode(eth_strip($packet));
    my $src = $ip->{src_ip};
    my $dst = $ip->{dest_ip};

    if ($print_ip) {
       $hex_string = print_hex($ip);
    }

    if ($ip->{proto} == IP_PROTO_UDP) {
        my $udp = NetPacket::UDP->decode($ip->{data});
        my $udp_payload = $udp->{data};

        if ($print_udp) {
           $hex_string = print_hex($udp_payload);
        }
    }

   print "$time_stamp, $hex_string\n";
}

sub print_hex {
   my $data = shift;

   return '0x' . join(', 0x',unpack("H2" x length($data),$data));
}

Sample output:

2012-09-10, 13:06:21.726884, 0x00, 0x09, 0x0f, 0x09, 0x0f, 0x05, 0x00, 0x21, 0x6a, 0x46, 0x46, 0x38, 0x08, 0x00, 0x45, 0x00,

Regards
Kurt

permanent link

answered 15 Nov '12, 12:56

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 15 Nov '12, 13:00

Many thanks for your script. Unfortunately I couldn't make it working on my Mac (so far many libs are missing)... I'll keep it in my todolist anyway. Thanks again

(16 Nov '12, 07:57) Davide

Installing the libs is pretty simple. Run these commands:

perl -MCPAN -e shell

After the shell started, type:

install Net::Pcap
install NetPacket::EthernetNet
install NetPacket::IP
install NetPacket::UDP

Watch for any errors during the installation of the Perl modules.

Good luck.

(16 Nov '12, 08:19) Kurt Knochner ♦
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×637
×76
×62
×23
×7

question asked: 15 Nov '12, 06:42

question was seen: 12,470 times

last updated: 16 Nov '12, 08:56

p​o​w​e​r​e​d by O​S​Q​A