This is our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.
0
1

I have tried the following tshark command and the matching is working fine

tshark -R "tcp contains SEK" -2 -r 2015-03-04.pcap -T fields -e tcp

However, the output of the tcp field doesn't include the full data payload. Instead it contains a friendly summary.

Transmission Control Protocol, Src Port: 18083 (18083), Dst Port: 53649 (53649), Seq: 1, Ack: 1, Len: 205

I've done a bunch of Googling and have found similar questions, but the fields they indicate to use don't exist or are empty. I've tried tcp.data, data.data, text, tcp.segment_data and some others.

broset's answer to this question came close in that it appears to get me the undecoded payload.

How do I instruct tshark to output the full decoded TCP payload without any ethernet, IP or TCP headers? Ideally I could do this without disabling the protocol dissector in Wireshark.

Thanks much, Rob

asked 05 Mar '15, 07:38

rosensama's gravatar image

rosensama
6123
accept rate: 0%

edited 05 Mar '15, 07:55

What I think I want is my protocol dissector to include a .DecodedMessage field.

(06 Mar '15, 05:11) rosensama

You can do it in two steps.

tshark -R "tcp contains SEK" -2 -r 2015-03-04.pcap -T fields -e tcp.stream

Take the stream numbers from the output and run the following command:

ASCII:

tshark -nr 2015-03-04.pcap -q -z follow,tcp,ascii,xxxxx

Hex:

tshark -nr 2015-03-04.pcap -q -z follow,tcp,hex,xxxxx

Please replace xxxxx with the tcp stream number.

Obviously you can automate the whole process with a script.

Regards
Kurt

permanent link

answered 05 Mar '15, 16:44

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

Thanks. This does work in spirit as the second step does return the ASCII decoded payload. Unfortunately, I have long lived streams and while I can find the handful of packets I'm interested in the in first step, but then the second step returns far more packets (100,000's) than I'm interested in.

(06 Mar '15, 05:00) rosensama
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "title")
  • image?![alt text](/path/img.jpg "title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

Question tags:

×832
×752
×58
×34

question asked: 05 Mar '15, 07:38

question was seen: 19,054 times

last updated: 06 Mar '15, 05:11

p​o​w​e​r​e​d by O​S​Q​A