I have tried the following tshark command and the matching is working fine However, the output of the I've done a bunch of Googling and have found similar questions, but the fields they indicate to use don't exist or are empty. I've tried broset's answer to this question came close in that it appears to get me the undecoded payload. How do I instruct tshark to output the full decoded TCP payload without any ethernet, IP or TCP headers? Ideally I could do this without disabling the protocol dissector in Wireshark. Thanks much, Rob asked 05 Mar '15, 07:38  rosensama edited 05 Mar '15, 07:55 |
One Answer:
You can do it in two steps.
Take the stream numbers from the output and run the following command: ASCII:
Hex:
Please replace xxxxx with the tcp stream number. Obviously you can automate the whole process with a script. Regards answered 05 Mar '15, 16:44  Kurt Knochner ♦ Thanks. This does work in spirit as the second step does return the ASCII decoded payload. Unfortunately, I have long lived streams and while I can find the handful of packets I'm interested in the in first step, but then the second step returns far more packets (100,000's) than I'm interested in. (06 Mar '15, 05:00) rosensama |
What I think I want is my protocol dissector to include a .DecodedMessage field.