This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Hi,

I have successfully created a filter and captured the packets I need. I have looked at the various save and export options in Wireshark, and fail to find an option to save only the payload data in a binary file without any file headers or formatting.

Is this possible in Wireshark, or do I need to create some sort of script to do this?

Thanks in advance for any replies.

asked 10 Aug '14, 01:36

yulquen's gravatar image

yulquen
26113
accept rate: 0%


Is this possible in Wireshark, or do I need to create some sort of script to do this?

Wireshark

Scripting:

tshark examples:

http://ask.wireshark.org/questions/23827/get-tcp-and-udp-payloads-with-tshark
http://ask.wireshark.org/questions/15374/dump-raw-packet-data-field-only
run tshark -nr input.pcap -Vx and then parse the output

Lua Examples:

http://wiki.wireshark.org/Lua/Examples
http://wiki.wireshark.org/Lua/Taps

Regards
Kurt

permanent link

answered 10 Aug '14, 06:24

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

edited 10 Aug '14, 06:25

Follow TCP stream seems to be the easiest solution, but there seems to be a limitation.

When I select the first packet and Follow TCP stream, only a small part of the data is available (about 204KB of 16MB's of data capture). Saving as raw gives me the payload data I wanted, but only a small fraction of the whole data set.

(10 Aug '14, 13:14) yulquen

did you limit the frame size during the capture phase?

Please check if bytes on wire and bytes captured (Frame layer) are identical.

(10 Aug '14, 14:09) Kurt Knochner ♦

They are the same (1514 bytes).

My capture have 10881 packets. If I select a "Follow TCP stream" the dropdown says "Entire conversation (204400 bytes)" and when I do a raw save, thats how big my file gets.

TCP segment length is 1460 so it amounts to payload from exactly 140 packets instead of 10881.

(10 Aug '14, 14:32) yulquen

hm.. could be a bug. What is your

  • OS and OS version
  • Wireshark version
(10 Aug '14, 14:53) Kurt Knochner ♦
  • win7 pro 64bit sp1
  • wireshark Version 1.12.0 (v1.12.0-0-g4fab41a from master-1.12)
(11 Aug '14, 00:39) yulquen

can you please try version 1.10.9?

(11 Aug '14, 02:44) Kurt Knochner ♦

done, same result.

(11 Aug '14, 03:18) yulquen

well, then it's probably related to your capture file. Is there any special protocol on top of TCP that Wireshark 'detetcs', like SMTP, HTTP, etc.?

(11 Aug '14, 04:11) Kurt Knochner ♦

The packet details only lists Ethernet II, IP V4 and TCP for all packets.

If I disable all other protocols, theres an additional listing for data (1460 bytes). But even so, selecting "Follow TCP stream", it still says 204400 bytes in total. Looking av the raw export file in a hex-viewer, it is clear that Wireshark just exports the payload from the 140 first frames, and leaves the rest of them out .

(11 Aug '14, 04:43) yulquen

it is clear that Wireshark just exports the payload from the 140 first frames, and leaves the rest of them out .

hm... sounds like a bug. Please file a bug report at https://bugs.wireshark.org and add a reference to this question. Please add as much information as possible, e.g. a smaller capture file that helps to reproduce the problem.

(11 Aug '14, 05:34) Kurt Knochner ♦
showing 5 of 10 show 5 more comments
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×76
×58
×12

question asked: 10 Aug '14, 01:36

question was seen: 59,392 times

last updated: 11 Aug '14, 05:34

p​o​w​e​r​e​d by O​S​Q​A