tshark: capture specific bytes from a packet data (content)

0
votes

I have a captured trace (.pcap) file and I want to read the data field of each captured packet in this trace. I can do this using this command:

tshark -r aa.pcap -Tfields -Y "udp" -e data

3000ca02f89f0004000115af0000017900.......

This command reads all the content in the data field of each packet. My question is that how can I read specific bytes from the data (e.g. the 5th and 6th bytes only) 

f89f
1
wiresharktshark
What language are you using? What kind of variable or destination should this data be saved to? - Ross Jacobs
I'm trying to do that using 'tshark' command in my terminal. Any kind of destination would be fine for me. Currently, I use '-e data' option which captures all the data field but I want and an option that can capture part of the data field not all of it. - Joe

1 Answers

1
votes

If you have cut available on your system, you could pipe the tshark output to it to isolate the characters you desire. For example:

tshark -r aa.pcap -Tfields -Y "udp" -e data | cut -c 9-12

You can even test this as follows:

echo 3000ca02f89f0004000115af0000017900 | cut -c 9-12
f89f

EDIT: I adjusted the offsets from 10-13 to 9-12, as that seems to be the correct offsets. If you quote the characters in the echo command, then you need 10-13, but those aren't the right offsets you need for the tshark output.