This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Extract syslog payload in ASCII

0

Hi. I have a Wireshark capture of syslog data and I need to extract the raw data portion of the packet in ASCII. I can extract the data in the exact format I need by selecting a single packet and clicking 'Export Packet Bytes' from the File menu. But I need to extract this data for every packet in the trace, which isn't feasible in a trace containing thousands of packets. I've tried various permutations of the tshark command but I just can't seem to get it right. The closest I've come is this command, but the output is in hex:

tshark -r syslog.pcap --disable-protocol syslog -T fields -e data.data

What's the trick in getting this output in ASCII?

asked 10 Mar '17, 07:12

s_m_p's gravatar image

s_m_p
6112
accept rate: 0%


One Answer:

1

You could try:

tshark -r syslog.pcap -T fields -e syslog.msg

answered 10 Mar '17, 07:18

cmaynard's gravatar image

cmaynard ♦♦
9.4k1038142
accept rate: 20%

Thanks for the reply. That is close, but I need to include the raw facility and level bytes in the output. When I use this: 'tshark -r syslog.pcap -T fields -e syslog'

I get the translated data (i.e. "LOCAL7.INFO") instead of "<190>". I need the output in the "<190>" format.

(10 Mar '17, 07:23) s_m_p
1

Well, you will probably have to convert the output using external tools. For example, the following almost works, except newlines are lost, so you will probably have to come up with something else.

tshark -r syslog.pcap --disable-protocol syslog -Y "udp.port eq 514" -T fields -e data | xxd -r -p
(10 Mar '17, 09:50) cmaynard ♦♦

OK, sure. I guess I just assumed that since Wireshark displays the data in ascii, tshark could output it in ascii too. But sure, I can run this output through an hex>ascii tool. Thanks for the reply.

(10 Mar '17, 10:43) s_m_p