This is a static archive of our old Q&A Site. Please post any new questions and answers at

Extract only the data layer of jabber/xml protocol using tshark


Hi fellows,

In order to get only the data of each TCP packets ( separated from the headers ) it is sufficient to use the data field.

A command such as tshark -r test.pcap -T fields -e data is enough. Now the tricky part comes when i try to do the same for XMPP packets. Those packet don't have a "data" layer identified in wireshark, but a xml layer.

Using a command such that `tshark -r test.pcap -T fields -e xml.tag -e xml.unknown' gives me inexact data.

What I would like to achieve is to remove completely the headers and keep only the "xml" part. The data at the end should be stored raw in a data file, and the content of this file should look like the content of the Follow TCP Stream option in wireshark. Do you have an idea on what field I should use in order to get this result ? Or maybe should i try to crop the headers if they have fix length? Any suggestion of an expert is welcome :D

Cheers !

asked 04 Dec '12, 02:11

faboul's gravatar image

accept rate: 0%

Maybe foolish suggestion - have you tried just tshark -r test.pcap -T fields -e xml ?

(05 Dec '12, 05:15) lojza

Hi, First of all thanks for the answer !

I tried that and it just print "xml" for every packet that contains xml and a blank line for the others. SO , it's not a valid solution :)

(05 Dec '12, 06:44) faboul