This is a static archive of our old Q&A Site. Please post any new questions and answers at

Extract syslog payload in ASCII


Hi. I have a Wireshark capture of syslog data and I need to extract the raw data portion of the packet in ASCII. I can extract the data in the exact format I need by selecting a single packet and clicking 'Export Packet Bytes' from the File menu. But I need to extract this data for every packet in the trace, which isn't feasible in a trace containing thousands of packets. I've tried various permutations of the tshark command but I just can't seem to get it right. The closest I've come is this command, but the output is in hex:

tshark -r syslog.pcap --disable-protocol syslog -T fields -e

What's the trick in getting this output in ASCII?

asked 10 Mar '17, 07:12

s_m_p's gravatar image

accept rate: 0%

One Answer:


You could try:

tshark -r syslog.pcap -T fields -e syslog.msg

answered 10 Mar '17, 07:18

cmaynard's gravatar image

cmaynard ♦♦
accept rate: 20%

Thanks for the reply. That is close, but I need to include the raw facility and level bytes in the output. When I use this: 'tshark -r syslog.pcap -T fields -e syslog'

I get the translated data (i.e. "LOCAL7.INFO") instead of "<190>". I need the output in the "<190>" format.

(10 Mar '17, 07:23) s_m_p

Well, you will probably have to convert the output using external tools. For example, the following almost works, except newlines are lost, so you will probably have to come up with something else.

tshark -r syslog.pcap --disable-protocol syslog -Y "udp.port eq 514" -T fields -e data | xxd -r -p
(10 Mar '17, 09:50) cmaynard ♦♦

OK, sure. I guess I just assumed that since Wireshark displays the data in ascii, tshark could output it in ascii too. But sure, I can run this output through an hex>ascii tool. Thanks for the reply.

(10 Mar '17, 10:43) s_m_p