This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

DIS PDU data extraction with tshark

0

I need to extract just the data from a capture file, something like using 'Follow Stream' and then saving that as a file, but using tshark. I've discovered that, for other protocols using TCP, I can filter using -e tcp.sequence_data, but there doesn't appear to be an equivalent for UDP. (I saw an answer to another question that suggested -e udp.data but that threw up an error.)

asked 08 Oct '13, 06:49

wiggers's gravatar image

wiggers
315511
accept rate: 0%

One Answer:

1

Here's how to do it, using http traffic as an example:

  1. start Wireshark and open the dialog Analyze->Enabled Protocols...
  2. choose the protocol or protocols you're interested in extracting (e.g. http) and disable them (no, that's not a typo!)
  3. save that setting and exit Wireshark
  4. run tshark as tshark -r mydata.pcap -Tfields -edata
  5. you might wish to go back into Wireshark and re-enable the protocol(s)

What you'll get is hex dumps of only the undecoded data (which is why you disabled the protocols of interest). Note that this works with both TCP and UDP without change.

answered 08 Oct '13, 12:16

beroset's gravatar image

beroset
2261213
accept rate: 33%

Many thanks. Some more on config files to disable protocols here.

(09 Oct '13, 01:33) wiggers

If that adequately answers your question, please accept the answer so that it no longer shows up as "unanswered." Thanks!

(09 Oct '13, 08:38) beroset

How do you 'accept'?

(14 Oct '13, 04:13) wiggers

To accept an answer you just check on the check mark next to the answer. See http://ask.wireshark.org/faq/

(14 Oct '13, 04:37) beroset