Extracting data payload from pcap capture

Question

I would like to extract a single packet data section (payload) from a UDP stream to a file, from a pcap capture, given a packet number in the capture.

I tried the following command

tshark -r fec_1D_10x10.pcap -R "frame.number == 13" -T fields -e data -w fecData.raw

However, the whole packet is saved instead. How could I do that (not necessarily with tshark) ?

Thanks

user1556814 user1556814 · Accepted Answer · 2015-03-31T13:54:00

OK, when -w option is provided, it is not the same behavior as stdout. So, as a workaround, since it seems quite a bit of hack and it is slow:

tshark -r fec_1D_10x10.pcap -R "frame.number == 13" -T fields -e data | tr -d '\n' | perl -pe 's/([0-9a-f]{2})/chr hex $1/gie' > fecData.raw

Extracting data payload from pcap capture

1 Answers