First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
Ask Your Question
0

Get UDP payload live for all ports [closed]

  • retag add tags

Hello, I'm trying to live capture all UDP packets payloads however it seems to be working only for non-standard ports while it doesnt show any payload for the well-know ones:

tshark -n -f "udp" -T fields -e ip.src -e udp.dstport -e data

Example output:

Capturing on 'eth0'

185.31.x.x 600 746573740a

185.31.x.x 500 746573740a

185.31.x.x 53

185.31.x.x 389

185.31.x.x 123

-n option is not helping. Any idea?

Thank you!

PaavoV's avatar
3
PaavoV
asked 2022-01-09 10:34:12 +0000
edit flag offensive 0 remove flag reopen merge delete

Closed for the following reason "the question is answered, right answer was accepted" by PaavoV 2022-01-09 20:58:28 +0000

Comments

add a comment see more comments

1 Answer

0

image description

Create a profile with only ethernet, IPv4 and UDP protocols enabled Analyze -> Enabled Protocols... then run tshark with it:

The-Ultimate-PCAP$ tshark -r ultpcap2.pcapng -C UDP_and_below -T fields -e ip.src -e udp.dstport -e data -Y udp
0.0.0.0 67      01010600ecd8ce24000000000000000000000000000000000000000000216a2d3b8e000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
00000000000000000000638253633501010c0c4d6963726f6b6e6f707069783712011c02030f06770c2c2f1a792a79f921fc2aff0000000000000
0000000000000000000000000000000
192.168.2.102   53      b89f010000010000000000000568656973650264650000010001
192.168.2.1     56606   b89f818000010001000000000568656973650264650000010001c00c000100010000002e0004c1639050
192.168.2.102   53      d7fa01000001000000000000023830033134340239390331393307696e2d61646472046172706100000c0001
192.168.2.1     41635   d7fa81800001000100000000023830033134340239390331393307696e2d61646472046172706100000c0001c00c0
00c00010000ba3100150a72656469726563746f7205686569736502646500
192.168.2.102   53      fb5a01000001000000000000023830033134340239390331393307696e2d61646472046172706100000c0001
192.168.2.1     39208   fb5a81800001000100000000023830033134340239390331393307696e2d61646472046172706100000c0001c00c0
00c00010000ba3000150a72656469726563746f7205686569736502646500

(XXX - The IP Option protocols came along even though the first step was to Disable All. Working as intended?)

Chuckc's avatar
3k
Chuckc
answered 2022-01-09 17:30:03 +0000
edit flag offensive 0 remove flag delete link
more

Comments

Actually i'm on CLI only, any way to do it by the command itself? And also i need it live and not from dumped traffic.

Thanks!

PaavoV's avatar PaavoV (2022-01-09 18:30:08 +0000) edit
more
  • delete

Actually i saw around it is not possible to select disabled protocols by CLI options therefore a file under $HOME/.wireshark/disabled_protos must be created. The solution the actually works.

Thank for your help!

PaavoV's avatar PaavoV (2022-01-09 20:39:12 +0000) edit
more
  • delete

Potential cleanup of Enabled/Disabled Protocols: 17863 - Qt: display PINO as child of parent protocol

Chuckc's avatar Chuckc (2022-01-10 17:56:22 +0000) edit
more
  • delete
add a comment see more comments