tshark get only application level data bytes

I'm using tshark to get a .csv of various fields, and I want the application level data (above tcp/udp) as one of the fields. For some of the frames I can get this from "data.data" but not for the frames whose application level protocol has already been dissected.

Is there a way to get just the (app-level) data above tcp/udp layer (in either raw bytes or hex string) for all of the frames? I don't want to use "-x" or something like that to get all of the bytes since then I have to first remove the lower-level layers.

rogerz343

asked 2019-09-26 22:05:04 +0000

edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

2 Answers

Sort by

oldest

newest

most voted

For TCP, there is the field tcp.payload which is the TCP segment (payload) of the packet, regardless of the upper layer protocol.

For UDP there is not yet(?) such a field. If you would like such a field to be added, you might want to add a feature request on https://bugs.wireshark.org

18.5k

SYN-bit

answered 2019-09-27 07:50:08 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Brute force might be to have a profile with all protocols disabled except ethernet, ipv4, ipv6?, tcp and udp. Use "-C" to specify the profile to load and print the data.data field.

tshark -r .\http-riverbed-one.pcapng -C data_data -e "data.data" -Tfields -Y data.data > tmp.fil

Chuckc

answered 2019-09-27 00:06:06 +0000, updated 2019-09-27 04:09:50 +0000

edit flag offensive 0 remove flag delete link

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

tshark get only application level data bytes edit

Comments

2 Answers

Comments

Comments