This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

How to export raw data from all captured packets?

0

Hi, I have a lot of UDP packets captured where I want to save the raw data (bytes) of each packet in a separate file.

The way I'm doing it currently is that I select the packet, select the data bytes and do Strg+H (Export selected packet bytes). But since there are a lot of packets this is of course not a good solution for me.

So is it possible to just export the raw data in separate files from all captured (or filtered) packets at once?

If possible I would also like to give the files names that give further indication how the traffic happened, like [packet_number][src_port][dest_port].bin

asked 12 Jan '14, 04:40

michael825's gravatar image

michael825
16115
accept rate: 0%


One Answer:

1

In case you are interested I could offer you a special build of TraceWrangler that can do this on Windows. It took me 20 minutes to hack that sort of processing into the program by using a temporary button on the main form, so this is neither pretty nor will it stay that way for the next official version. And if it crashes for you I probably won't have time to fix anything in the next couple of days.

I did not test it much, but it seems to work, even on a list of traces (I used a couple of DHCPv4 packets in 4 single PCAPng traces, 1 frame per file). For that I changed your output file naming scheme for the exported payloads to [filenumber][packet_number][src_port]-[dest_port].bin, because otherwise outputs are overwritten every once in a while. Send me an email to [email protected] if you're interested.

answered 12 Jan '14, 05:55

Jasper's gravatar image

Jasper ♦♦
23.8k551284
accept rate: 18%

If there isn't any other way to do this then of course I would be interested (I sent the email already).

Though if the basic functionality of exporting the data in files is there (and the packets would just be given numerical names) then I could help myself with filtering out the packets before exporting them.

The only question is if there is such a functionality (and if not why, I mean I don't think this would be considered an exotic feature...)?

(12 Jan '14, 06:57) michael825

most people probably help themselves with tshark scripts or the export to text file functionality, and then write custom scripts to process them further. At least that's my guess.

(12 Jan '14, 07:19) Jasper ♦♦