This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

tshark follow tcp stream for EBCDIC

0

Hello, I was able to follow tcp stream with the newest releases of tshark: tshark -r file.cap -q -z follow,tcp,ascii,0 . Unfortunately my traffic is EBCDIC encoded and while I can read it with Wireshark I can't with tshark, it miss the ebcdic format while still has hex and raw. Anyone can help me find a solution?

asked 07 Jun '15, 22:29

pippo's gravatar image

pippo
0114
accept rate: 0%

What are you trying to do? Print the EBCDIC encoded "text" on your DOS box screen with tshark?

(08 Jun '15, 01:15) Kurt Knochner ♦

I just need to read the payload in a tn3270 session. I read it ok with wireshark follow tcp stream selecting ebcdic but I can't from tshark.

(08 Jun '15, 05:02) pippo

2 Answers:

0

This is not supported yet, so I uploaded a patch adding this capability to code review website.

answered 08 Jun '15, 12:28

Pascal%20Quantin's gravatar image

Pascal Quantin
5.5k1060
accept rate: 30%

The patch is now merged and is available starting from version v1.99.7rc0-135-ge28339e. You can download a nightly build from here: https://www.wireshark.org/download/automated/

(08 Jun '15, 22:25) Pascal Quantin

0

O.K. by "I need to read the payload" you (most certainly) mean, tshark shall print the characters on the console for you to read it, right? If so, you'll have to print the TCP payload with tshark in hex mode (-z follow,tcp,hex,0) and then use a Perl script (or any other scripting language you prefer) to convert the hex output to EBCDIC and then convert to ASCII, to be able to print it on the console.

http://search.cpan.org/~cxl/Convert-EBCDIC-0.06/lib/Convert/EBCDIC.pm

Function: ebcdic2ascii().

http://objectmix.com/perl/20922-hex-ebcdic.html

As an alternative, you can use one of the online HEX -> EBCDIC converters (using raw output of tshark), but I guess that won't help you, as it involves a manual step.

OR, wait until the code change of @Pascal Quantin has been finished ;-)

Regards
Kurt

answered 08 Jun '15, 12:40

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

I tried it and seem to fail in converting the data into something readable. Unfortunately I can't provide a sample of tn3270 as it contains sensitive infos :(

(09 Jun '15, 09:55) pippo