I need to extract just the data from a capture file, something like using 'Follow Stream' and then saving that as a file, but using tshark. I've discovered that, for other protocols using TCP, I can filter using -e tcp.sequence_data, but there doesn't appear to be an equivalent for UDP. (I saw an answer to another question that suggested -e udp.data but that threw up an error.)
asked 08 Oct '13, 06:49
Here's how to do it, using http traffic as an example:
What you'll get is hex dumps of only the undecoded data (which is why you disabled the protocols of interest). Note that this works with both TCP and UDP without change.
answered 08 Oct '13, 12:16