I need to extract ascii from udp payload and use command
tshark -r filename.pcap -z"follow,udp,ascii,0" > logfile
This command mostly works but not when pcap has multiple udp streams, in such case it exports only the first one, how can I extract all udp streams from pcap? including damaged ones?
In your-z option you have specified a range of "0", this limits the output to the first UDP "stream". Try removing the ,0 from your command.
See the tshark man page for more info on the -z option.
Edit: Another senior moment, please ignore this "answer" it's incorrect.
removing 0 produces error, "tshark: follow - Invalid address." I couldn't find any way to specify all streams
-z follow,prot,mode,filter[,range] - the filter (stream number) is required and doesn't support a wildcard.
You can specify multiple follow options (in reverse order for ascending output) and doesn't matter if a stream number is picked that doesn't exist.
C:\>"\Program Files\Wireshark\tshark.exe" -r ".\UFTP_v3_transfer (1).pcapng" -q -z follow,udp,ascii,10 -z follow,udp,ascii,9 -z follow,udp,ascii,8 -z follow,udp,ascii,7 -z follow,udp,ascii,6 -z follow,udp,ascii,5 -z follow,udp,ascii,4 -z follow,udp,ascii,3 -z follow,udp,ascii,2 -z follow,udp,ascii,1 -z follow,udp,ascii,0
If you're working with many UDP streams, it might be better to make a pass through to determine the maximum value and then a loop to extract them individually.
(Code for parsing options in tap-follow.c)
I didn't actually try it, I misread the documentation and assumed that "filter" was a filter, not a stream selector and that the optional range was the stream selector.
As @Chuckc noted there have been a number of solutions posted that make a first pass to extract all the stream indexes and use that info to create a new filter for a second pass.
Comments
Can you define " including damaged ones?" ?