This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Tshark storing only a piece of data.data field

0

Looking for a way to store a portion of the data.data field. I've tried things like data.data[0:10] or data[0:10] but in those cases nothing gets stored.

Thanks in advance!

asked 28 May '13, 15:34

hsingh419's gravatar image

hsingh419
11113
accept rate: 0%


2 Answers:

1

You can look at editcap with the -s <snaplength> option to cut a given number of bytes.

If you want to snip just a specific field value in a protocol, the best way to export that value is probably going to be with the '-T fields' option in tshark, with an '-e {display filter}' option to present as output the value of that particular field in the packet.

Depending on what you're trying to do, another option is to export the packet as plain text, write a script to grab the trace into a "packet array", and run that array through a loop to parse and manipulate the bytes of each packet however you see fit. I've done this a few times with perl for some small projects.

answered 28 May '13, 20:23

Quadratic's gravatar image

Quadratic
1.9k6928
accept rate: 13%

Used the -s <snaplength> in tshark while doing a live capture. Works great. Thanks!

(29 May '13, 14:13) hsingh419

0

What do you mean, store a portion of the data.data field? You can't change bytes in a packet with tShark, it is a "read only" tool (at least at the moment), same as Wireshark.

answered 28 May '13, 15:41

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

I only need to capture a portion of the payload.

(28 May '13, 15:47) hsingh419

I'm not really sure you can do this either. As far as I know you always need to have all the layers up to the bytes you want to keep because otherwise Wireshark cannot later decode it again.

(28 May '13, 15:51) Jasper ♦♦

Looks like the SnapLen function could work. Not exactly what I'm looking for but might be my only choice.

(28 May '13, 20:06) hsingh419