pcap to raw hex dump

Question

I'm looking to convert pcap file to a raw dump of the bytes of the packets.

This is when export file to txt file using wireshark alt text

then the requirement data is only hex data in red box. Because packet data is too much, so need some script to implement this. alt text

and this the result and create multiple file depend on number of packet data alt text

Answer 1

I'm not entirely sure I understand what you're asking. If you want just the ASCII hex dump of all data and nothing else, then you can simply pipe the output of tshark through sed like so:

tshark -x -r mydata.pcap | sed -n 's/^[0-9a-f]*\s$\(\s[0-9a-f][0-9a-f]$\{1,16\}\).*$/\1/p'

If that's not what you're asking, perhaps you could clarify. I don't understand "create multiple file depend on number of packet data." Do you mean that you want to create one file per packet? Is the file to be a hex dump (printable form) or is it a pure binary file?

Answer 2

The sed command given above didn't work for me. I'm no sed expert so there's probably a better, more robust way to do this, but the following seemed to work for me, for what it's worth:

tshark -x -r mydata.pcap | sed -n 's/^[0-9a-f][0-9a-f]*  \(.*  \) .*/\1/p'

faz, since your system doesn't have sed installed, I can logically conclude that you are most likely working on Windows, so you will probably need to install cygwin in order to have sed at your disposal. There may be some other "sed for Windows" alternatives if you don't want to install cygwin.

You can find more information on sed here or here or at a number of other places.