In order to get only the data of each TCP packets ( separated from the headers ) it is sufficient to use the data field.
A command such as
Using a command such that `tshark -r test.pcap -T fields -e xml.tag -e xml.unknown' gives me inexact data.
What I would like to achieve is to remove completely the headers and keep only the "xml" part. The data at the end should be stored raw in a data file, and the content of this file should look like the content of the Follow TCP Stream option in wireshark. Do you have an idea on what field I should use in order to get this result ? Or maybe should i try to crop the headers if they have fix length? Any suggestion of an expert is welcome :D
asked 04 Dec '12, 02:11