This is our old Q&A Site. Please post any new questions and answers at

Hi fellows,

In order to get only the data of each TCP packets ( separated from the headers ) it is sufficient to use the data field.

A command such as tshark -r test.pcap -T fields -e data is enough. Now the tricky part comes when i try to do the same for XMPP packets. Those packet don't have a "data" layer identified in wireshark, but a xml layer.

Using a command such that `tshark -r test.pcap -T fields -e xml.tag -e xml.unknown' gives me inexact data.

What I would like to achieve is to remove completely the headers and keep only the "xml" part. The data at the end should be stored raw in a data file, and the content of this file should look like the content of the Follow TCP Stream option in wireshark. Do you have an idea on what field I should use in order to get this result ? Or maybe should i try to crop the headers if they have fix length? Any suggestion of an expert is welcome :D

Cheers !

asked 04 Dec '12, 02:11

faboul's gravatar image

accept rate: 0%

Maybe foolish suggestion - have you tried just tshark -r test.pcap -T fields -e xml ?

(05 Dec '12, 05:15) lojza

Hi, First of all thanks for the answer !

I tried that and it just print "xml" for every packet that contains xml and a blank line for the others. SO , it's not a valid solution :)

(05 Dec '12, 06:44) faboul
Be the first one to answer this question!
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 04 Dec '12, 02:11

question was seen: 3,253 times

last updated: 05 Dec '12, 20:55

p​o​w​e​r​e​d by O​S​Q​A