This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

how to get only the headers of a packet

0

Hi,

Is there any way to use display filters to get only the headers for a packet and not the contents/payload (e.g. which seem to follow the content-length header in SIP) using tshark. It is possible to select individual headers but I know not any way to exclude the payload.

Thanks, qwerfdsa

asked 12 Mar '13, 21:01

qwerfdsa's gravatar image

qwerfdsa
16225
accept rate: 0%


3 Answers:

0

You cannot do that with display filters. You could use "editcap -s" (editcap is a command line tool that comes with Wireshark) to cut away parts of each packet at a certain offset. That offset has to be the same for each packet, which means that if not all headers have the same size the cut will be in different parts of the packet.

Keep in mind that using editcap to cut away the parts means that they're not in the capture file anymore, so they cannot be restored unless you keep the original file as well.

answered 13 Mar '13, 02:07

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

0

"Get" in what sense?

Display filters can exclude entire packets from the display; they are not a mechanism to filter out parts of individual packets.

If you want to limit the contents of your capture file to the packet headers, see Jasper's answer - that is a bit of a crude tool, as it slices packets off at a fixed offset (it's the equivalent of "-s" in tcpdump/dumpcap/TShark/Wireshark and the "Limit each packet to XXX bytes" GUI option in Wireshark) rather than at a particular layer of the packet, but it may do what you want.

If you're trying to extract particular fields for processing in some other script or tool, see TShark's "-T fields" option.

answered 13 Mar '13, 10:41

Guy%20Harris's gravatar image

Guy Harris ♦♦
17.4k335196
accept rate: 19%

Since they seem to be \r\n separated, would it be possible to separate them using any regular expression supporting command line utility (Linux)?

(13 Mar '13, 12:18) qwerfdsa

Since they seem to be \r\n separated

What do you mean by "they"? Are you talking about the default output of tshark -V? Are you talking about the contents of a SIP message?

(13 Mar '13, 12:25) Guy Harris ♦♦

Yes. From the RFC 3261, Response/Request= Status-Line*( message-header )CRLF[ message-body] So the contents seem to be separated from the headers by a CRLF.

(13 Mar '13, 12:31) qwerfdsa

So how are you extracting the headers? Would you use the regex-supporting utility on:

  • the output of tshark -V;
  • the output of tshark -T fields -e...;
  • the output of some other tool;
  • the raw capture file?

I would strongly recommend against the latter, as capture files are binary files.

(13 Mar '13, 13:28) Guy Harris ♦♦

I only have the raw capture file to experiment with. vim seems to render plaintext until the actual content and od indicates a \r\n between the headers and the content. How would I be able to use grep to separate them (using collations?) - Thanks

(13 Mar '13, 17:50) qwerfdsa

0

joke on Stack Overflow came up with this answer in Wireshark, which worked for me. Joke's answer also has a tshark example.

  1. Apply a display filter, such as sip
  2. Go to the the Packet Details pane.
  3. Expand "Session Initiation Protocol"
  4. Expand Request-Line, Message Header and Message Body* (do not Expand Subtrees)
  5. Go to File - Export - Export Packet Dissections... - As "Plain Text" File...
  6. Packet Format section: select "Packet Summery Line" and "Packet Details: As Displayed"
  7. Add a file name and save the file

(CC-BY-SA 3.0)

answered 23 Feb '16, 06:17

cxw's gravatar image

cxw
63
accept rate: 0%

edited 23 Feb '16, 06:18