This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract TCP Payload from PDML file

Hi,

I am currently trying to write a program which parses a PDML file and extracts the TCP payload for packets sent from a particular IP, I need this in the form of a Hex dump.

The problem I have, is not all packets have a simple "fake-field-wrapper". And some contain application layer data such as SMB.

What would be the best way of dumping the hex for these packets?

Also, I would only like to output all of the TCP payload from a single TCP stream. How do you know what is a 'single' TCP stream, any type of identifier? Or would I just have to do a for loop and fetch every packet until an ACK/SYN packet?

hexdump pdml smb parsing

asked 25 Aug '14, 03:55

WireTshark
5●2●2●5
accept rate: 0%

edited 25 Aug '14, 04:45

Jasper ♦♦
23.8k●5●51●284

Is it a requirement that this be done through PDML, or is working with the raw .pcap file a possibility?

(25 Aug '14, 06:58) Quadratic

I would like to see if it could be done with PDML output. If the possibility of this is limited, I could consider looking at raw.pcap files

(25 Aug '14, 07:14) WireTshark

One Answer:

So I assume my answer to this question helps you with most of what you're asking for here, leaving only the last part of your question regarding how to output all of the TCP payload from a single TCP stream.

I would say that probably the easiest ways to achieve this are to use one of the following methods:

Apply a display filter for the tcp stream number you're interested in, e.g., tcp.stream == 1, and then only export those displayed packets. The tcp.stream field is a Wireshark-generated field, which you can find by expanding the TCP protocol in the packet details pane.
In the packet details pane, right-click on a packet of interest and choose, "Conversation Filter -> TCP". This effectively accomplishes the same thing as the first method.

answered 26 Aug '14, 08:51

cmaynard ♦♦
9.4k●10●38●142
accept rate: 20%