THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Dump each packet data received on a different file where the file name is the tcp.time_relative

what i'm trying to achieve is to sniff the traffic over the loopback and writing every packet payload on its own file where the file name is the tcp.time_relative

with:

sudo tshark -i lo -T fields -e tcp.time_relative -e tcp.payload

image description

I can get the two fields i need, what is crucial now is a way to write each tcp.payload to a file where tcp.time_relative is the file name. If someone knows some usefull tshark commands or a way to script this would be really nice.

thank you in advance for you answers

Faliero Rogo's avatar
3
Faliero Rogo
asked 2020-10-19 13:31:07 +0000, updated 2020-10-19 13:35:26 +0000
edit flag offensive 0 remove flag close merge delete

Comments

Do you want the empty files where there is no tcp.payload data?

Chuckc's avatar Chuckc (2020-10-19 14:49:44 +0000) edit
more
  • delete

no i don't i already modified the command like this:

    tshark -l -i lo -T fields -e tcp.time_relative -e tcp.payload -Y 'tcp.len>0 and !tcp.payload contains 05:00:00:00'

to filter a packet i don't wanna read and ignore empty data

Faliero Rogo's avatar Faliero Rogo (2020-10-19 14:58:31 +0000) edit
more
  • delete

"a way to script this" - are you working on some flavor of *nix so a bash script would be ok?

Chuckc's avatar Chuckc (2020-10-19 15:08:56 +0000) edit
more
  • delete

ye a bash script would do the trick

Faliero Rogo's avatar Faliero Rogo (2020-10-19 15:34:21 +0000) edit
more
  • delete
add a comment see more comments

1 Answer

1

(Test file on Wireshark wiki )


$ cat ./mktcpfile
#!/bin/bash

TIMESTAMP=""
PAYLOAD=""

read TIMESTAMP PAYLOAD
while [ "$TIMESTAMP" ]
do
    echo $TIMESTAMP
    echo $PAYLOAD > $TIMESTAMP.txt
    read TIMESTAMP PAYLOAD
done



$ tshark -r ../200722_tcp_anon.pcapng -T fields -e tcp.time_relative -e tcp.payload -Y tcp.payload | ./mktcpfile
0.004678000
0.005701000
0.005734000
0.005745000
0.005752000
0.005762000
0.005770000
0.005776000
8.657441000
10.162740000
12.385270000
$
$ ls
0.004678000.txt  0.005734000.txt  0.005752000.txt  0.005770000.txt  10.162740000.txt  8.657441000.txt
0.005701000.txt  0.005745000.txt  0.005762000.txt  0.005776000.txt  12.385270000.txt  mktcpfile
$ cat ./0.004678000.txt
68656c6c6f0a
$

Sharkfest video on using tshark:
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)

Chuckc's avatar
3k
Chuckc
answered 2020-10-19 16:34:33 +0000
edit flag offensive 0 remove flag delete link
more

Comments

That's great, totally what i was looking for. thank you

Faliero Rogo's avatar Faliero Rogo (2020-10-20 08:17:49 +0000) edit
more
  • delete
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer