I captured HTTP traffic using tcpdump. For each TCP stream I want to extract the RAW TCP contents, ideally all streams to the same file. Manually, I am currently doing the following:
Is there any way to script this using thark? I was trying for quite some time, but did not succeed. asked 30 Jun '16, 04:38 fk18 |
One Answer:
Have a look at answered 30 Jun '16, 05:53 Jaap ♦ |
I'h tried that before (
tshark -r in.pcap -z follow,tcp,raw,0 -w f
). As it seems, Ethernet/IP/TCP headers are still saved to the file. This is exactly what I wanted to avoid.It is not a filter, it's a statistical tap, which generates statistical output on the console. In this case it also produces records of the data you seek. That is where the post processing comes in; having to pick up this console output and rework it into a form you can use further down in your toolchain.
What do you mean the Ethernet/IP/TCP headers are saved? If I use
-z follow,tcp,ascii,0
on a capture file with HTTP traffic the actual followed data contains only the HTTP (switching toraw
is similar but is harder for me to read :-)).There are some brief headers telling you what the tool is doing (which can easily be grep'd out) as well as the frame list (which can be suppressed by adding the
-q
option) but there aren't any lower-level headers in there.OHHHH, I see... The
-z follow
option sends its output to the standard output. If you're putting-w f
and looking at the resulting filef
then, yes, you're going to see the full headers becausef
is going to be a PCAPNG file. That's not the output of the-z follow
option...Thanks to your answers and this post, the following script does exactly what I wanted: