This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

see UDP data with tshark

0

i have this pcap file

in wireshark i can see data (click packet and goto floww UDP stream..)

but when i show data in tshark, tshark print empty line,

my command is this:

tshark -r dns.cap -T fields -e data

i want see data in packet as HEX format

asked 31 Dec '14, 03:32

Babyy's gravatar image

Babyy
476236
accept rate: 0%

2 Answers:

2

In your question you called it "data", but there is no "data" field in your captured packets, and you did this command:

tshark -r dns.cap -T fields -e data

That command will print out the value of the data field - "data" is a real name of a field in Wireshark/tshark, and it usually represents un-parsed payload bytes in the packet. But your capture of a DNS query and response has no data field in it, so you see nothing print out when you run that command. The same happens if you put "data" in the display filter of Wireshark: you won't see any packets displayed because no packet in your capture has a data field.

When you select "Follow UDP stream" in Wireshark, it shows you the raw UDP payload bytes of the UDP packet(s) of the UDP conversation, but they're not a "data" field.

I don't know of any tshark command which will print the UDP payload as raw bytes/hex directly. There are other, indirect, ways of getting the payload. One way is to follow the directions given in the answer to this previous question, by using the Lua script shown in that answer and using the following command for your case:

tshark -r dns2.cap -X lua_script:extract.lua -X lua_script1:dns -T fields -e extractor.value.hex

answered 31 Dec '14, 12:02

Hadriel's gravatar image

Hadriel
2.7k2939
accept rate: 18%

This command also prints a blank line :|

(01 Jan '15, 09:45) Babyy
1

Doesn't for me - I get the following two lines:

F8F401000001000000000000057961686F6F03636F6D0000010001
F8F481800001000300000000057961686F6F03636F6D0000010001C00C00010001000002430004628BB718C00C00010001000002430004CEBE242DC00C00010001000002430004628AFD6D
(01 Jan '15, 10:07) Hadriel

What version of shark do you have? Run: "tshsark -v" and paste the output here.

(01 Jan '15, 10:08) Hadriel

thank you, my t shark version is : TShark 1.6.7

(01 Jan '15, 11:23) Babyy

Oh wow. Version 1.6.7 is ancient history. That won't even run the Lua script. You should upgrade - version 1.12.2 is the most recent stable release. Get it from the Wireshark downloads page.

(01 Jan '15, 11:34) Hadriel

0

Which bit of the "data" do you want, the Ethernet header, the IP header, the UDP Header or the DNS query and response?

You can get all of the hex bytes with -x.

answered 31 Dec '14, 06:25

grahamb's gravatar image

grahamb ♦
19.8k330206
accept rate: 22%

i want see UDP data both query and response

(31 Dec '14, 10:52) Babyy