This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hello, i want to extract the hex data from this SSL but when i type tshark -Vnr -r pcap -R (filter) > textfile i only get the details of the pcap without the hex part so i want to know if there is a way to extract the hex data with the details not the details only, i don't want to decrypt or anything i just want to extract it to a plain text, thanks.!

asked 30 Sep '13, 04:35

Ziad%20Kiwan's gravatar image

Ziad Kiwan
21338
accept rate: 0%

i want to extract the hex data from this SSL

do you mean the decrypted payload?

(30 Sep '13, 07:00) Kurt Knochner ♦

when you open the pcap file using wireshark you see the detailed information and the hex information i want to retrieve them "all" using tshark is there a way ?

(30 Sep '13, 07:02) Ziad Kiwan

So, you need the 'raw' TCP payload, regardless of SSL decryption?

(30 Sep '13, 07:08) Kurt Knochner ♦

exactly! i want the raw data

(30 Sep '13, 07:09) Ziad Kiwan

Have you tried using the "-x" command line option?

In your case:

tshark -Vnxr pcap -R (filter) > textfile
permanent link

answered 30 Sep '13, 13:42

SYN-bit's gravatar image

SYN-bit ♦♦
17.1k957245
accept rate: 20%

sorry i'm not that good in wireshark and tshark what does vnxr do ?

(30 Sep '13, 13:51) Ziad Kiwan

I added the "-x" option to the options you already mentioned in your original question, as that option adds the output of the hex dump.

$ tshark -h | fgrep -e " -V" -e " -x" -e " -r" -e " -n"
  -r <infile>              set the filename to read from (no pipes or stdin!)
  -n                       disable all name resolutions (def: all enabled)
  -V                       add output of packet tree        (Packet Details)
  -x                       add output of hex and ASCII dump (Packet Bytes)
$
(30 Sep '13, 14:22) SYN-bit ♦♦

okay thanks for the information, that something good to learn!

(01 Oct '13, 04:53) Ziad Kiwan
permanent link

answered 30 Sep '13, 07:16

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 30 Sep '13, 07:17

can i apply a a filter in this and it will keep working ? i saw this before and tried it and the data stayed the same

(30 Sep '13, 07:29) Ziad Kiwan

can i apply a a filter in this and it will keep working ?

what do you mean? Which filter?

(30 Sep '13, 07:55) Kurt Knochner ♦

its not working i'm not getting the ssl hex data out of the pcap using any of the methods you suggested, about the filter i use a filter to filter the pcap's and then i add them in a plain text

(30 Sep '13, 13:37) Ziad Kiwan
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832

question asked: 30 Sep '13, 04:35

question was seen: 4,834 times

last updated: 23 Jan '15, 14:03

p​o​w​e​r​e​d by O​S​Q​A