I have usb traffic pcap files that I would like to take the value from the 'Leftover capture data' field and have all of the data from that field in every packet save to a new file. I can do this by right clicking on the field and selecting "Export selected package bytes..." for a single packet, but I need a fast way to do it for all of them. Does anyone know if there is a way to do this? Windows based solutions would also be preferred. asked 18 Jun '15, 07:38  dippy |
One Answer:
If I understand you right then just need the content of the field "usb.capdata" (USB Leftover) printed in a single file. This goal could be reached quick and easy with the following tshark windows command line example: tshark -r "C:\Temp\USB_Leftover.pcap" -T fields -e usb.capdata > C:\Temp\output.txt The Output contains only the value of the field "usb.capdata". Every Packet is represented by a line. If a line is empty, then the specific packet doesn´t contain the field "usb.capdata" Example: Or do you need further field informations? answered 18 Jun ‘15, 14:17  Christian_R |
I need the character representation of the hex/ascii to print out. So if the value is 61 (hex) I need that to be a.
You could try this:
After that you could do the following steps:
1. Open the file C:\Temp\test3.txt with an editor and remove all “:"
2. Then copy the data and paste it into a the hex view of a hex editor. (I tried PSPad)
Further remark:
Under Linux you can use the command xxd to convert the hex dump into a binary. This tool is part of the vim for windows port and can be found here:
https://bitbucket.org/Haroogan/vim-for-windows/downloads
Regarding to my last comment the command you can use instead of step 2 is: