This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Get tcp and udp payloads with TSHARK

1
1

Hi.

I use tshark to export packet information from a pcap file and it works well. I now need to export the tcp\udp payload as well. I have looked at several answers - http://ask.wireshark.org/questions/3323/printing-tcp-payload-using-tshark-t-fields and http://ask.wireshark.org/questions/12431/how-to-add-data-length-column-in-wireshark-display-or-plot-payload-length-vs-packet-no and they both claim

-e tcp.data

should work. However, I only get an empty field.

I'm using Wireshark 1.10.1 on windows 7 64 bit.

Thanks.

asked 16 Aug '13, 11:02

vadgros's gravatar image

vadgros
36245
accept rate: 0%


One Answer:

0

There may be another way to do this, but I think if you [at least temporarily] disable all relevant upper-layer protocols, then I believe you will be able to get what you need.

For example, suppose you want to export all TCP data, which happens to be http traffic. First, in Wireshark, disable the http protocol via: Analyze -> Enabled Protocols -> HTTP -> [deselect] -> OK, and then quit Wireshark. This could even be done in a new profile, let's call that profile, "Export". You could then have tshark use that profile whenever you need to perform this task.

After that, you would run something along the lines of:

tshark -r infile.pcap -C Export -T fields -e data

You may need/want to apply a filter via -Y "filter" or -2R "filter" to select only those packets of interest.

answered 22 Sep '13, 18:45

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%