THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Extract specific byte offset using tshark

I have a pcap of ICMP packets. I am trying to use tshark to extract the payload data so that I can extract a specific byte offset.

The tshark documentation is highly convoluted, especially for me, a beginner.

I've been searching around a lot and I'm trying to piece together a command for the purpose of my goal.

I can run the following command:

shark -r test.pcapng -Y icmp -z flow,icmp,network > output.bin

But it only outputs the packet list as it were shown in Wireshark.

For example, I am trying to extract the following byte offset from each packet (offset 22):

enter image description here

How would I go about extracting a specific byte offset with tshark?

EDIT:

Issuing the following command only returns a portion of the payload data, how can I get all of it?

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e data -w output.bin

enter image description here

juiceb0xk's avatar
1
juiceb0xk
asked 2020-02-21 10:08:29 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

3 Answers

0

I'm not aware of any tshark capabilities to restrict the output to specific bytes, only whole fields, using the -e field selector. The data field is available as a fallback when no other dissector is able to further dissect the payload, this may be due to there being no dissector for the traffic, the dissector being disabled, the traffic not being on the "expected" port, or other reasons.

I think you will have to post process the tshark output using external tools to extract the particular data you require.

grahamb's avatar
23.8k
grahamb
answered 2020-02-21 10:14:22 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

If the IP header doesn't vary in length, try to chop out the byte with editcap:
https://ask.wireshark.org/question/14...

Chuckc's avatar
3k
Chuckc
answered 2020-02-21 13:49:45 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments
0

The posted image would appear to be highlighting the TTL field of the IP header, so assuming that's the field you're interested in, you can obtain it using the following:

tshark -r test.pcapng -Y "frame.number == 13" -T fields -e ip.ttl -w output.bin

You can refer to the Wireshark Display Filter Reference page to find all available Wireshark display filters including the ip.ttl field. You can also find them in other ways. Refer to the wireshark-filter man page for more information.

EDIT: If you want all the bytes of frame number 13 to be displayed, you can call tshark like so:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin

So if for whatever reason you don't like the -e ip.ttl solution, you could isolate the 22nd byte from the hex output generated with -x with a little piping to tools like grep and cut, for example:

tshark -r test.pcapng -Y "frame.number == 13" -x -w output.bin | grep "^0010" | cut -d ' ' -f 9

There may be a more elegant solution than this, but this should be a good starting point in the absence of any another suitable solution, provided of course that your platform has both grep and cut available.

cmaynard's avatar
11.1k
cmaynard
answered 2020-02-21 13:58:46 +0000, updated 2020-02-22 02:39:43 +0000
edit flag offensive 0 remove flag delete link
more

Comments

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer