This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How do I extract all the “data” sections?

0

I'm trying to analyse the protocol used to communicate with a device. The host computer just opens a connection to the device on port 9100, and leaves in open. It then communicates with the device very like a serial device (I suspect that the protocol is more or less unchanged from the old serial version of the device). To analyse the bytes sent and received, I need to capture them and ignore all the ethernet, tcp and ip "wrapping". I'd like to keep the timestamps if possible, because it's useful to see where the long breaks are (which usually mean the system was waiting for something external to happen).

How do I do this?

Thanks - Rowan

asked 24 Nov '12, 15:37

Rowan's gravatar image

Rowan
1333
accept rate: 0%


2 Answers:

0

You can try this:

tshark -r input.cap -E separator=, -R "tcp.data" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e tcp.data

It will output the hex representation of the tcp data plus some information about the frame. Instead of -e frame.time your can also use -e frame.time_relative

If you need ASCII output, you can use -e text instead of -e tcp.data

tshark -r input.cap -E separator=, -R "tcp.data" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e text

Regards
Kurt

answered 25 Nov '12, 02:35

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 25 Nov '12, 02:44

Thanks. This looks just the job, but it doesn't seem to produce any output. Where does it write its output to? Do I have to add some more options to give it an output filename? I tried several (e.g. -w - or -F libpcap) without success. Here's my actual command: "C:\Program Files\Wireshark\tshark.exe" -r "C:\Users\rbradley.ADC\Documents\Customers\Dansk\DanskLogs121113\2201 overnight capture.pcap" -E separator=, -R "tcp.data" -T fields -e frame.number -e frame.time -e ip.src -e ip.dst -e text

Can I do the same thing using the GUI version?

Thanks - Rowan

(25 Nov '12, 18:09) Rowan

This looks just the job, but it doesn't seem to produce any output.

The above command works for tcp. If it does not output anything, your protocol might use UDP. Is that the case?

(26 Nov '12, 01:27) Kurt Knochner ♦

0

Could you just write a Wireshark dissector for the (serial) protocol that registers itself with "udp.port" with a value of 9100?

answered 25 Nov '12, 19:18

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%