Well, wireshark (with >2million lines of code) is a bit overkill for that, why not use a simple perl script:
#!/opt/local/bin/perl -w
use strict;
use Net::PcapUtils;
use NetPacket::Ethernet;
Net::PcapUtils::loop(&process_pkt, FILTER => 'ip proto 1');
sub process_pkt {
my ($user_data,$hdr,$pkt)=@_;
my $eth=NetPacket::Ethernet->decode($pkt);
if($eth->{type} == 2048){
printf "%s\n", unpack("H*", $eth->{data});
}
}
which gives the following output (for a ping to 8.8.8.8):
450000544f3d00004001599fc0a801150808080808006e73b68e00005199293100006d3008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
45280054000000003201b6b408080808c0a8011500007673b68e00005199293100006d3008090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
45000054e97400004001bf67c0a801150808080808006e28b68e00015199293200006d7908090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
45280054000000003201b6b408080808c0a8011500007628b68e00015199293200006d7908090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637
I’ll leave the proper filtering and layout enhancements as an exercise for the reader :-)
answered 19 May ‘13, 12:36
SYN-bit ♦♦
17.1k●9●57●245
accept rate: 20%
But that doesn't exclude Ethernet II. Thanks.
Sorry, I thought "Ethernet excluded" meant that you removed it from your quote due to sanitization purposes. I guess if you want to export packets without the Ethernet header Wireshark will not help you unless you find a way to edit each frame by script after exporting it.
May I ask why you need to remove the ethernet header? Maybe there's another solution I can think of.
For testing purposes. I can copy each frame and edit it but it is tedious. I appreciate your help.
The new export PDU functionality could be made to do that.