Where Can I Find The Packet Display Stream File(s)

Hello,

I had to make an account to ask this important question, as I want to make a little project that visualizes the traffic of all the packets that are flowing through the UI stream. In doing this, I want the stream to be posted to a text file (or something similar of the sort) that can be read and displayed on a user's browser. In order for me to do that, I have to go up the river to find out where the water is coming from, if you get what I mean.

However, I have had a lot of trouble finding the file(s) that contain the process of posting each discovered packet. I also looked hard through the forms here to see if I could find out myself, but I hardly made any progress. Would someone mind telling me where I need to look?

Maybe I should put it like this: I don't have concern for what's in the packet, but rather how/where WireShark detects the packet. Sorry if there was some confusion.

I want the stream to be posted to a text file

Do you mean output of the form you get by running "tshark -V" or by saving dissections as text from Wireshark? If so, then...

I have had a lot of trouble finding the file(s) that contain the process of posting each discovered packet

..that's because there is no such file. The raw packet data is either in the file you're reading or in the file that Wireshark or TShark runs its "dumpcap" program to produce and that it reads as new packets arrive in it, but it contains raw binary packet data, not anything even remotely human-readable as network traffic (unless you're the sort of person who sees "08 00" and says "OK, that's an Ethernet type for IPv4" or sees "45" and says "OK, that's the first byte of an IPv4 header" :-)).

TShark will write text containing that to the standard output - it will give one-line summaries of packets, similar to what's in the packet list pane, by default, and will give the details, similar to what's in the packet detail pane, if you pass it the "-V" flag - if you don't save to a file with the "-w" flag or if you do save to a file with the "-w" flag but you also give it the "-P" flag. To save that to a file, redirect TShark's standard output.

Wireshark will write that text if you use the Export Packet Dissections > As Plain Text... menu item and specify what parts of the dissection to write out.

19.9k

Guy Harris

answered 2020-04-28 07:34:20 +0000

edit flag offensive 0 remove flag delete link

Comments

I believe either of those options would be good for me to try, but I don't know how to make it happen.

Ninny (2020-04-28 16:47:51 +0000) edit

As I said, you need to run TShark with the right command-line options. The rest of the project isn't a Wireshark issue.

Guy Harris (2020-04-28 17:37:17 +0000) edit

Maybe I should put it like this: I don't have concern for what's in the packet, but rather how/where WireShark detects the packet. Sorry if there was some confusion.

Ninny (2020-04-28 19:32:41 +0000) edit

What do you mean by "detects the packet"? Do you mean captures the packet, i.e. gets a copy of the packet from a network interface, as happens during a live capture?

Guy Harris (2020-04-28 23:28:19 +0000) edit

Like it realizes "Oh! A packet just came!"

I'm trying to make a visualization of the packets going to and fro addresses, but I don't actually need to see what each packet contains.

Ninny (2020-04-29 03:06:30 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Where Can I Find The Packet Display Stream File(s) edit

Comments

1 Answer

Comments