This is our old Q&A Site. Please post any new questions and answers at


I use tshark to export packet information from a pcap file and it works well. I now need to export the tcp\udp payload as well. I have looked at several answers - and and they both claim


should work. However, I only get an empty field.

I'm using Wireshark 1.10.1 on windows 7 64 bit.


asked 16 Aug '13, 11:02

vadgros's gravatar image

accept rate: 0%

There may be another way to do this, but I think if you [at least temporarily] disable all relevant upper-layer protocols, then I believe you will be able to get what you need.

For example, suppose you want to export all TCP data, which happens to be http traffic. First, in Wireshark, disable the http protocol via: Analyze -> Enabled Protocols -> HTTP -> [deselect] -> OK, and then quit Wireshark. This could even be done in a new profile, let's call that profile, "Export". You could then have tshark use that profile whenever you need to perform this task.

After that, you would run something along the lines of:

tshark -r infile.pcap -C Export -T fields -e data

You may need/want to apply a filter via -Y "filter" or -2R "filter" to select only those packets of interest.

permanent link

answered 22 Sep '13, 18:45

cmaynard's gravatar image

cmaynard ♦♦
accept rate: 20%

Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here



Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text]( "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:


question asked: 16 Aug '13, 11:02

question was seen: 20,058 times

last updated: 22 Sep '13, 18:45

p​o​w​e​r​e​d by O​S​Q​A