Hi all, I'm trying to print out the first 20 TCP payload bytes in tshark, but I want to print out several other fields so that I can pass the result to an analysis program I'm writing. Easiest way for me to parse the data is CSV, so I'm using tshark in -T fields mode with -E separator=, So I have additional options such as -e tcp.srcport -e tcp.stream -e tcp.flags.syn and so on. But as the last field, I can't find how to output the first 20 TCP payload bytes. I tried something like -e frame[54-73] but that didn't print anything out, neither did -e tcp[20-39] nor -e ip[54-73]. Any ideas? Thanks, --Rob asked 04 Apr '11, 09:13  RobB |
One Answer:
Starting with Wireshark 1.4.5, available from the main download page, or with any development release starting from r36629, available from the automated download area, the TCP segment data is now filterable with "tcp.data". Unfortunately, you still won't be able to limit the amount of data with something like "tcp.data[0:20]". answered 16 Apr '11, 13:14  cmaynard ♦♦ |
I should also mention that -e data doesn't work: for TCP packets, it prints out nothing (even though I know there is data in there), and it only seems to print out data for things like IP fragments.