Hello- Using the latest development version for Mac OS X which does NOT require x-windows ie 1.99.9. When I follow a tcp stream and want to save the data, there is no "Raw" format available, only: The below documentation for version 1.99.9 indicates it should be available. Am I missing something? Is "raw" going to be available in a future release? Is there something I can do in the mean time to be able to save it in "raw" format? The doc below still has the x-windows look in the images rather than the normal Mac GUI. https://www.wireshark.org/docs/wsug_html_chunked/ChAdvFollowTCPSection.html 7.2. Following TCP streams If you are working with TCP based protocols it can be very helpful to see the data from a TCP stream in the way that the application layer sees it. Perhaps you are looking for passwords in a Telnet stream, or you are trying to make sense of a data stream. Maybe you just need a display filter to show only the packets of that TCP stream. If so, Wireshark’s ability to follow a TCP stream will be useful to you. Simply select a TCP packet in the packet list of the stream/connection you are interested in and then select the Follow TCP Stream menu item from the Wireshark Tools menu (or use the context menu in the packet list). Wireshark will set an appropriate display filter and pop up a dialog box with all the data from the TCP stream laid out in order, as shown in Figure 7.1, “The “Follow TCP Stream” dialog box”. [Note] Note Opening the “Follow TCP Stream” installs a display filter to select all the packets in the TCP stream you have selected. 7.2.1. The “Follow TCP Stream” dialog box Figure 7.1. The “Follow TCP Stream” dialog box wsug_graphics/ws-follow-stream.png The stream content is displayed in the same sequence as it appeared on the network. Traffic from A to B is marked in red, while traffic from B to A is marked in blue. If you like, you can change these colors in the “Colors” page if the “Preferences” dialog. Non-printable characters will be replaced by dots. The stream content won’t be updated while doing a live capture. To get the latest content you’ll have to reopen the dialog. You can choose from the following actions: Save As: Save the stream data in the currently selected format. Print: Print the stream data in the currently selected format. Direction: Choose the stream direction to be displayed (“Entire conversation”, “data from A to B only” or “data from B to A only”). Filter out this stream: Apply a display filter removing the current TCP stream data from the display. Close: Close this dialog box, leaving the current display filter in effect. You can choose to view the data in one of the following formats: ASCII: In this view you see the data from each direction in ASCII. Obviously best for ASCII based protocols, e.g. HTTP. EBCDIC: For the big-iron freaks out there. HEX Dump: This allows you to see all the data. This will require a lot of screen space and is best used with binary protocols. C Arrays: This allows you to import the stream data into your own C program. Raw: This allows you to load the unaltered stream data into a different program for further examination. The display will look the same as the ASCII setting, but “Save As” will result in a binary file. asked 07 Sep '15, 18:24 securitysam |
2 Answers:
This is already tracked by bug 11118. answered 07 Sep '15, 22:58 Pascal Quantin |
A quick look at the code suggests that the Qt version may have renamed the option from "Raw" to "UTF-8". Try that. answered 08 Sep '15, 12:05 Guy Harris ♦♦ Thanks Guy, that was the first thing I tried. Unfortunately, I'm trying to extract a base64 encoded pdf from a pcap and saving it in UTF-8 does not allow the base64 -d command to decode it properly and it does not have the proper format for a pdf. The Linux version which still has the RAW format available does come out properly. (08 Sep '15, 12:31) securitysam It's not "Linux vs. OS X", it's "GTK+ vs. Qt" - the Linux Qt version won't have it either. (08 Sep '15, 12:43) Guy Harris ♦♦ Thanks for the correction, and my apologies for using incorrect terminology; by Linux I meant GTK+ as I don't run, nor did I know until now, that it was possible to run Qt on Linux. When I wrote the reply I was in a bit of a rush, and could not recall the full acronym for GTK (I was thinking GT, but it didn't sound right, so I went with Linux). (08 Sep '15, 13:14) securitysam The current official releases are GTK+ on all OSes, which is GTK+-on-X11 on OS X. The intent is that the 2.0 release will be Qt on all OSes, without require X11 on OS X. (08 Sep '15, 13:35) Guy Harris ♦♦ |
Well at least is is on the record as being missing then. Thanks!