Export Packet Bytes works on a single packet because in a raw data output, there is no way to separate the pieces of data coming from individual packets from each other. Your particular task may not require the separation (i.e. a continuous stream of raw data may be what you actually need), however that's how it works now.
If you don't mind that the contents of the protocol fields you are interested in is not always output as hex but sometimes as an ASCII string, then tshark -r your_file_name -Y "your_display_filter_expression" -T fields -e field_1_name -e field_2_name is your best friend; if not, try -T pdml instead, where you get show and value items for most (yet not all) fields, like in the following example:
< field name="usb.urb_ts_usec" showname="URB usec: 948741" size="4" pos="24" show="948741" value="057a0e00"/>
However, the -e option does not work together with -T pdml, so the output is really huge. And you'll have to post-process the pdml output with something grep- and sed-like to extract only the required data from it.
While you cannot mark packets in tshark, you can use the display filter to define ranges. -Y "tcp and ((frame.number >= 5 and frame.number <= 10) or (frame.number >= 100 and frame.number <= 108))" is an example of a filter which lets through all TCP packets which exist inside ranges 5-10 and 100-108.
Instead of (commandline) tshark, you may use File -> Export Packet Dissections -> As PDML XML in (GUI) Wireshark for the same purpose; in this case, you can specify the list of ranges directly in a dedicated form field (like 5-10,100-108 to match the above example), yet the need to post-process the pdml output remains.
answered 01 May '16, 05:28
sindy
6.0k●4●8●51
accept rate: 24%
Thank you very much, for a most detailed explanation! It's too bad that the Wireshark can't do this in itself, but exporting to XML and writing a Python script to post-process it should work well!