This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

exporting payload data in binary file

Hi,

I have successfully created a filter and captured the packets I need. I have looked at the various save and export options in Wireshark, and fail to find an option to save only the payload data in a binary file without any file headers or formatting.

Is this possible in Wireshark, or do I need to create some sort of script to do this?

Thanks in advance for any replies.

binary export payload

asked 10 Aug '14, 01:36

yulquen
26●1●1●3
accept rate: 0%

One Answer:

Is this possible in Wireshark, or do I need to create some sort of script to do this?

Wireshark

right click on one of the frames and select "Follow TCP Stream" (or "Follow UDP Stream"). In the pop-up windows select the bytes you are interested in and save them in raw format.
or use the Wireshark Export options: http://www.wireshark.org/docs/wsug_html_chunked/ChIOExportSection.html

Scripting:

You could use tshark
or write a TAP/Listener with Lua

tshark examples:

http://ask.wireshark.org/questions/23827/get-tcp-and-udp-payloads-with-tshark
http://ask.wireshark.org/questions/15374/dump-raw-packet-data-field-only
run tshark -nr input.pcap -Vx and then parse the output

Lua Examples:

http://wiki.wireshark.org/Lua/Examples
http://wiki.wireshark.org/Lua/Taps

Regards
Kurt

answered 10 Aug '14, 06:24

Kurt Knochner ♦
24.8k●10●39●237
accept rate: 15%

edited 10 Aug '14, 06:25

Follow TCP stream seems to be the easiest solution, but there seems to be a limitation.

When I select the first packet and Follow TCP stream, only a small part of the data is available (about 204KB of 16MB's of data capture). Saving as raw gives me the payload data I wanted, but only a small fraction of the whole data set.

(10 Aug '14, 13:14) yulquen

did you limit the frame size during the capture phase?

Please check if bytes on wire and bytes captured (Frame layer) are identical.

(10 Aug '14, 14:09) Kurt Knochner ♦

They are the same (1514 bytes).

My capture have 10881 packets. If I select a "Follow TCP stream" the dropdown says "Entire conversation (204400 bytes)" and when I do a raw save, thats how big my file gets.

TCP segment length is 1460 so it amounts to payload from exactly 140 packets instead of 10881.

(10 Aug '14, 14:32) yulquen

hm.. could be a bug. What is your

OS and OS version
Wireshark version

(10 Aug '14, 14:53) Kurt Knochner ♦

win7 pro 64bit sp1
wireshark Version 1.12.0 (v1.12.0-0-g4fab41a from master-1.12)

(11 Aug '14, 00:39) yulquen

can you please try version 1.10.9?

(11 Aug '14, 02:44) Kurt Knochner ♦

done, same result.

(11 Aug '14, 03:18) yulquen

well, then it's probably related to your capture file. Is there any special protocol on top of TCP that Wireshark 'detetcs', like SMTP, HTTP, etc.?

(11 Aug '14, 04:11) Kurt Knochner ♦

The packet details only lists Ethernet II, IP V4 and TCP for all packets.

If I disable all other protocols, theres an additional listing for data (1460 bytes). But even so, selecting "Follow TCP stream", it still says 204400 bytes in total. Looking av the raw export file in a hex-viewer, it is clear that Wireshark just exports the payload from the 140 first frames, and leaves the rest of them out .

(11 Aug '14, 04:43) yulquen

it is clear that Wireshark just exports the payload from the 140 first frames, and leaves the rest of them out .

hm... sounds like a bug. Please file a bug report at https://bugs.wireshark.org and add a reference to this question. Please add as much information as possible, e.g. a smaller capture file that helps to reproduce the problem.

(11 Aug '14, 05:34) Kurt Knochner ♦

showing 5 of 10 show 5 more comments