This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Dump packet ‘Leftover Data Capture’ field only?

0
1

I have usb traffic pcap files that I would like to take the value from the 'Leftover capture data' field and have all of the data from that field in every packet save to a new file. I can do this by right clicking on the field and selecting "Export selected package bytes..." for a single packet, but I need a fast way to do it for all of them. Does anyone know if there is a way to do this?

Windows based solutions would also be preferred.

asked 18 Jun '15, 07:38

dippy's gravatar image

dippy
21345
accept rate: 0%


One Answer:

1

If I understand you right then just need the content of the field "usb.capdata" (USB Leftover) printed in a single file. This goal could be reached quick and easy with the following tshark windows command line example:

tshark -r "C:\Temp\USB_Leftover.pcap" -T fields -e usb.capdata > C:\Temp\output.txt

The Output contains only the value of the field "usb.capdata". Every Packet is represented by a line. If a line is empty, then the specific packet doesn´t contain the field "usb.capdata"

Example:

41:6e:00:65:00:77::ff

74:68:69:73:20:69::00

Or do you need further field informations?

answered 18 Jun ‘15, 14:17

Christian_R's gravatar image

Christian_R
1.8k2625
accept rate: 16%

I need the character representation of the hex/ascii to print out. So if the value is 61 (hex) I need that to be a.

(19 Jun ‘15, 06:00) dippy

You could try this:

tshark -r "C:\Temp\USB_Leftover.pcap" -T fields -e usb.capdata -Y usb.capdata >C:\Temp\test3.txt

After that you could do the following steps:

1. Open the file C:\Temp\test3.txt with an editor and remove all “:"

2. Then copy the data and paste it into a the hex view of a hex editor. (I tried PSPad)

(19 Jun ‘15, 13:45) Christian_R

Further remark:

Under Linux you can use the command xxd to convert the hex dump into a binary. This tool is part of the vim for windows port and can be found here:

https://bitbucket.org/Haroogan/vim-for-windows/downloads

Regarding to my last comment the command you can use instead of step 2 is:

xxd -r  -ps C:\temp\test3.txt > c:\temp\test3.bin
(19 Jun ‘15, 14:46) Christian_R