First time here? Check out the FAQ!
THIS IS A TEST INSTANCE. Feel free to ask and answer questions, but take care to avoid triggering too many notifications.
0

Formatting TShark payload output with timestamp

Currently I'm outputting the ascii payload of tshark filtered packets:

tshark -i ens224 -l -T fields -e data host 192.168.1.123 and dst port 3423 | xargs -n1 -I{} echo "{}0d0a" | xxd -r -p -

where xxd is being used to convert the hex data in the data field to ascii.

  tshark  
    -i interface name  
    -f host filter for local broadcast  
    -l flush stdout after each packet    
    -T fields output fields specified by -e   
    -e data   tshark will only output undissected data in packets  

  xargs  
    -n1 trigger on one recieved cmd line arg  
    -i{} use {} for substitution in echo command  
    "{}0d0a"  add crlf to hex string data from packet to flush stdout in xxd  
    echo use echo to aggregate hex data with crlf and pipe to xxd  

  xxd  
    -r reverse hex to ascii  
    -p plain text output  
    -  take input from stdin

The output looks something like:

1 Data in packet
7 Data in another packet

I'd like to prepend that with the capture time.

1 15:20:32 Data in packet
7 15:23:01 Data in another packet

How do I do that?

Dani's avatar
1
Dani
asked 2022-02-14 16:07:00 +0000
grahamb's avatar
23.8k
grahamb
updated 2022-02-14 16:32:48 +0000
edit flag offensive 0 remove flag close merge delete

Comments

add a comment see more comments

1 Answer

0

To convert only a part of a given line form hex to ascii I suggest to use a Perl one-liner.

The default separator for fields is a tab character. So split by tab and process the date and data separately. For example this way:

TZ= tshark -r test.pcap -T fields -e frame.time -e data | perl -ne 's/\s+$//; ($date, $hexstr) = split("\t"); print substr($date, 13, 8), "\t", (pack "H*", $hexstr), "\r\n";'
André's avatar
176
André
answered 2022-02-14 17:35:05 +0000, updated 2022-02-14 17:41:15 +0000
edit flag offensive 0 remove flag delete link

Comments

Thank you. that was really helpful

Dani's avatar Dani (2022-02-14 20:17:19 +0000) edit
add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer