Hello, I was able to follow tcp stream with the newest releases of tshark: tshark -r file.cap -q -z follow,tcp,ascii,0 . Unfortunately my traffic is EBCDIC encoded and while I can read it with Wireshark I can't with tshark, it miss the ebcdic format while still has hex and raw. Anyone can help me find a solution? asked 07 Jun '15, 22:29  pippo |
2 Answers:
This is not supported yet, so I uploaded a patch adding this capability to code review website. answered 08 Jun '15, 12:28  Pascal Quantin The patch is now merged and is available starting from version v1.99.7rc0-135-ge28339e. You can download a nightly build from here: https://www.wireshark.org/download/automated/ (08 Jun '15, 22:25) Pascal Quantin |
O.K. by "I need to read the payload" you (most certainly) mean, tshark shall print the characters on the console for you to read it, right? If so, you'll have to print the TCP payload with tshark in hex mode (-z follow,tcp,hex,0) and then use a Perl script (or any other scripting language you prefer) to convert the hex output to EBCDIC and then convert to ASCII, to be able to print it on the console.
Function: ebcdic2ascii(). As an alternative, you can use one of the online HEX -> EBCDIC converters (using raw output of tshark), but I guess that won't help you, as it involves a manual step. OR, wait until the code change of @Pascal Quantin has been finished ;-) Regards answered 08 Jun '15, 12:40  Kurt Knochner ♦ I tried it and seem to fail in converting the data into something readable. Unfortunately I can't provide a sample of tn3270 as it contains sensitive infos :( (09 Jun '15, 09:55) pippo |
What are you trying to do? Print the EBCDIC encoded "text" on your DOS box screen with tshark?
I just need to read the payload in a tn3270 session. I read it ok with wireshark follow tcp stream selecting ebcdic but I can't from tshark.