This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Looking for a way to store a portion of the data.data field. I've tried things like data.data[0:10] or data[0:10] but in those cases nothing gets stored.

Thanks in advance!

asked 28 May '13, 15:34

hsingh419's gravatar image

hsingh419
11113
accept rate: 0%


You can look at editcap with the -s <snaplength> option to cut a given number of bytes.

If you want to snip just a specific field value in a protocol, the best way to export that value is probably going to be with the '-T fields' option in tshark, with an '-e {display filter}' option to present as output the value of that particular field in the packet.

Depending on what you're trying to do, another option is to export the packet as plain text, write a script to grab the trace into a "packet array", and run that array through a loop to parse and manipulate the bytes of each packet however you see fit. I've done this a few times with perl for some small projects.

permanent link

answered 28 May '13, 20:23

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

Used the -s <snaplength> in tshark while doing a live capture. Works great. Thanks!

(29 May '13, 14:13) hsingh419

What do you mean, store a portion of the data.data field? You can't change bytes in a packet with tShark, it is a "read only" tool (at least at the moment), same as Wireshark.

permanent link

answered 28 May '13, 15:41

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I only need to capture a portion of the payload.

(28 May '13, 15:47) hsingh419

I'm not really sure you can do this either. As far as I know you always need to have all the layers up to the bytes you want to keep because otherwise Wireshark cannot later decode it again.

(28 May '13, 15:51) Jasper ♦♦

Looks like the SnapLen function could work. Not exactly what I'm looking for but might be my only choice.

(28 May '13, 20:06) hsingh419
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×5

question asked: 28 May '13, 15:34

question was seen: 2,673 times

last updated: 29 May '13, 14:13

p​o​w​e​r​e​d by O​S​Q​A