I'm trying to analyse the protocol used to communicate with a device. The host computer just opens a connection to the device on port 9100, and leaves in open. It then communicates with the device very like a serial device (I suspect that the protocol is more or less unchanged from the old serial version of the device). To analyse the bytes sent and received, I need to capture them and ignore all the ethernet, tcp and ip "wrapping". I'd like to keep the timestamps if possible, because it's useful to see where the long breaks are (which usually mean the system was waiting for something external to happen). How do I do this? Thanks - Rowan asked 24 Nov '12, 15:37  Rowan |
2 Answers:
You can try this:
It will output the hex representation of the tcp data plus some information about the frame. Instead of If you need ASCII output, you can use
Regards answered 25 Nov '12, 02:35  Kurt Knochner ♦ edited 25 Nov '12, 02:44 |
Could you just write a Wireshark dissector for the (serial) protocol that registers itself with "udp.port" with a value of 9100? answered 25 Nov '12, 19:18  Guy Harris ♦♦ |
Thanks. This looks just the job, but it doesn't seem to produce any output. Where does it write its output to? Do I have to add some more options to give it an output filename? I tried several (e.g. -w - or -F libpcap) without success. Here's my actual command: "C:\Program Files\Wireshark\tshark.exe" -r "C:\Users\rbradley.ADC\Documents\Customers\Dansk\DanskLogs121113\2201 overnight capture.pcap" -E separator=, -R "tcp.data" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e text
Can I do the same thing using the GUI version?
Thanks - Rowan
The above command works for tcp. If it does not output anything, your protocol might use UDP. Is that the case?