This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

export .pcap file in readable format

0

i open with wireshark a .pcap file , so what i need is to somehow export all the data of the specific protocol , i see the data when i expand the tree inside the program but when using the File-> export packet Dissections on csv format i can not see the actual data but only the data of the columns (No ,Time,Source,.....0 ) is there a way to export the actual data of the spesific protocol in a readable format , for example csv ????

asked 28 Feb '17, 23:41

chriskaza81's gravatar image

chriskaza81
6112
accept rate: 0%


One Answer:

0

There are some options to export payload data.

For example you can export objects (e.g. SMB files, TFTP files, HTTP objects...) or you can save the payload of a TCP or UDP stream (Follow TCP Stream -> Save as ASCII, C Array...).

It depends on your requirement and your protocol.

answered 01 Mar '17, 03:45

Uli's gravatar image

Uli
9031515
accept rate: 29%

And don't forget about tshark -T fields

(01 Mar '17, 05:39) Jaap ♦

the protocol is sr15 it is a radar which sends some coordinates and i need somehow to read them from the packet contents . Unfortunately i tried the above you suggested but with no luck. There must me some way to do it i also tried with tshark commands but still can not achieve any results

(01 Mar '17, 09:47) chriskaza81

the protocol is sr15 it is a radar which sends some coordinates

Presumably you either have your own dissector or somebody's plugin; Wireshark doesn't include a dissector for it.

i also tried with tshark commands but still can not achieve any results

If the dissector gives those coordinates names, i.e. treats them as named fields, tshark -T fields should work - use -e flags, and specify the names of the fields as arguments to the -e flags. If it doesn't give those coordinates names, it should be improved so that it does so.

(01 Mar '17, 10:24) Guy Harris ♦♦

Acctually managed to extract the payload running the above command: tshark -r c:\myFile.pcap -x -R frame.number==1>outpout.txt For now this is the only way i found out ..

Also i am looking into the PcapDotNet library , i see the PayloadLayer class but can not see any data in ascii format

(04 Mar '17, 10:10) chriskaza81