how to get entire raw packets by using the tshark?

raw
retag add tags

I couldn't find a way to extract all raw packets from a PCAP file.

there is something like:

tshark -r file.pcap -T fields -e frame.number -e data

however, it doesn't return the entire packet.

it should be something like:

tshark -T jsonraw -j "http tcp ip" -x -r file.pcap

however with only frame.raw output for each packet.

My desired out is (frame number and any format of the entire packets):

1 00a0c58fe3c7000c761c1b97080045000028939e40004006f9adc0a80121ccb21f08db2d023467a50f421c83f58350100993926d0000
2 08db2d023468fe3c7000c761c1b97080045000028939e40004006f9adc0a80121ccb21f08db2d023467a50f421c83f58350100993926d0000
....

malocho

asked 2024-02-13 13:52:07 +0000, updated 2024-02-14 12:14:01 +0000

edit flag offensive 0 remove flag close merge delete

Comments

It might help if you were a little more precise about what you want it to return. Can I assume that the hexdump output is not what you want because you not only don't want the ASCII (which can be turned off) but you also don't want the offset information before each line?

You want each packet to contain on one line, tab-separated, the frame number and the frame data, correct? Is it a problem if the hex bytes are separated with with a space or with a colon? (Producing the output that Chuck mentions and then post-processing it is also an option.)

johnthacker (2024-02-14 01:22:24 +0000) edit

@johnthacker, of course, it would work with the produced JSON and preprocessing afterward, however, one of the significant points in my case is the processing time... tshark by using -e filters returns very fast almost all you need except the raw frame which is important for me.

malocho (2024-02-14 12:16:47 +0000) edit

add a comment see more comments

3 Answers

Sort by

oldest

newest

most voted

Just to clarify, frame.raw is not a Wireshark field but there is a frame_raw in -T jsonraw output.

tshark -T jsonraw -j "frame" -x -r .\test.pcap

    "_index": "packets-2021-02-10",
    "_type": "doc",
    "_score": null,
    "_source": {
      "layers": {
        "frame_raw": [
          "000000000000000000000000080045000054000000007601ab6908080808c0a8c88700004a0200250002643c2460000000006c67020000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637",
          0,
          98,
          0,
          1
        ],
        "frame": {

Chuckc

answered 2024-02-13 15:45:20 +0000

edit flag offensive 0 remove flag delete link

Comments

I don't see a significant difference to my second provided example: tshark -T jsonraw -j "http tcp ip" -x -r file.pcap. Unfortunally, your answer is not what I am looking for and almost the same as I already wrote in my question.

malocho (2024-02-13 21:50:34 +0000) edit

add a comment see more comments

Using a profile with all protocols disabled except eth:

$ tshark -r ./bvlc.pcap -T fields -e frame.number -e eth.addr -e eth.type -e data -C NO_PROTOCOLS -Y frame.number==304 | sed -e "s/\t//2" -e "s/\t//2" -e "s/0x//" -e "s/[:,]//g"
304     ffffffffffffd8f2cade04e00800450005a860b54000011100dac0a8c865c0a8c8ff037903790594f85bc97359818c0504008ace013462cd275dbce0260000891a06bae98bdc0bc1d2e6c0a8c80106000000200d000070110000c00c000050000100800d0000200d0000007e00006018000045e40000c45f000070410000204300007041000030380100c0420000c042000040c1010050b4010058fa0000199b0100200d0000800d0000200d000070e60000600f0000600f0000a029000060210000dcc6000054210000800a0000e00a0000800a0000501b0100800a0000800a0000e05e0000e02b00006eef0000324a0000900000009000000090000000b0150100b0010000b00100000030000010020000

--snip--

sed:
-e "s/\t//2" - delete 2nd tab (between eth.addr and eth.type)
-e "s/\t//2" - delete "new" 2nd tab (between eth.type and data)
-e "s/0x//" - delete the 0x format on eth.type
-e "s/[:,]//g" - clean up eth.addr

If your capture not using a eth header, then adjust as needed.
If packets can contain multiple eth sections then apply more sed.

(it would be easier if frame protocol called data when all other disabled)

Chuckc

answered 2024-02-14 15:25:47 +0000, updated 2024-02-14 15:27:10 +0000

edit flag offensive 0 remove flag delete link

Comments

tshark: Configuration Profile "NO_PROTOCOLS" does not exist

malocho (2024-03-06 16:07:34 +0000) edit

I tried this one: tshark -r UseCase2.pcap -T fields -e frame.number -e eth.addr -e eth.type -e data -Y frame.number==1 | sed -e "s/\t//2" -e "s/\t//2" -e "s/0x//" -e "s/[:,]//g" however, it does not represent the entire package

malocho (2024-03-06 16:17:33 +0000) edit

Using a profile with all protocols disabled except eth:

Create a new profile called NO_PROTOCOLS (or any name you choose), disable all protocols then re-enable just ethernet (short name eth).

C:\Users\admin>tshark -r .\bvlc.pcap -C NO_PROTOCOLS -V -Y frame.number==304
Frame 304: 1462 bytes on wire (11696 bits), 1462 bytes captured (11696 bits)
    Encapsulation type: Ethernet (1)
    Arrival Time: Jun 28, 2020 16:54:15.952264000 Central Daylight Time
    UTC Arrival Time: Jun 28, 2020 21:54:15.952264000 UTC
    Epoch Arrival Time: 1593381255.952264000
    [Time shift for this packet: 0.000000000 seconds]
    [Time delta from previous captured frame: 0.305577000 seconds]
    [Time delta from previous displayed frame: 0.000000000 seconds]
    [Time since reference or first frame: 49.184376000 seconds]
    Frame Number: 304
    Frame Length: 1462 bytes (11696 bits)
    Capture Length: 1462 bytes (11696 bits)
    [Frame is marked: False]
    [Frame is ignored: False]
    [Protocols in frame: eth ...

(more)

Chuckc (2024-03-06 16:34:54 +0000) edit

I only use tshark, it it possible to do it only with tshark?

malocho (2024-03-06 17:21:02 +0000) edit

$ tshark -r ./bvlc.pcap -T fields -e frame.number -e eth.addr -e eth.type -e data --disable-protocol ALL --enable-protocol eth -Y frame.number==304 | sed -e "s/\t//2" -e "s/\t//2" -e "s/0x//" -e "s/[:,]//g"
304     ffffffffffffd8f2cade04e00800450005a860b54000011100dac0a8c865c0a8c8ff037903790594f85bc97359818c0504008ace013462cd275dbce0260000891a06bae98bdc0bc1d2e6c0a8c80106000000200d000070110000c00c000050000100800d0000200d0000007e00006018000045e40000c

--snip--

Chuckc (2024-03-06 17:50:43 +0000) edit

add a comment see more comments

This is issue #19076 and I don't believe that exactly what you're asking for is possible in current releases, though it certainly is possible to produce other output, like what Chuck mentioned, and then post-process it to get what you desire (it's not that difficult to read JSON and then spit out the desired value.)

I have an open merge request that would allow you to enter something like:

tshark -o 'gui.column.format:"No.","%m","Frame","%Cus:@frame"' -r file.pcap

in order to produce output like

    1 ff:ff:ff:ff:ff:ff:24:5e:be:3b:d5:d1:08:00:45:00:00:31:4c:5d:40:00:40:11:69:da:c
0:a8:01:35:c0:a8:01:ff:c2:d6:7e:9c:00:1d:c3:7d:4d:2d:53:45:41:52:43:48:20:2a:20:48:54
:54:50:2f:31:2e:31:0d:0a
    2 ff:ff:ff:ff:ff:ff:24:5e:be:3b:d5:d1:08:00:45:00:00:31:4c:5c:40:00:40:11:69:db:c
0:a8:01:35:c0:a8:01:ff:a4:08:7e:9e:00:1d:e2:49:4d:2d:53:45:41:52:43:48:20:2a:20:48:54
:54:50:2f:31:2e:31:0d:0a

156

johnthacker

answered 2024-02-14 01:30:23 +0000, updated 2024-02-14 01:31:33 +0000

edit flag offensive 0 remove flag delete link

Comments

-o <preference>:<value>

Set a preference value, overriding the default value and any value read from a preference file. The argument to the option is a string of the form prefname:value, where prefname is the name of the preference (which is the same name that would appear in the preference file), and value is the value to which it should be set.

malocho (2024-02-14 12:10:26 +0000) edit

how did you construct -o filter? Your version only returns the frame number when I try it

malocho (2024-02-14 12:11:30 +0000) edit

It is a new feature that just landed in the git repository and will be available in 4.4.0, but is not in a released version yet. You can try pulling the latest source and building if you want. I'm sorry if that wasn't clear before.

johnthacker (2024-02-14 12:27:56 +0000) edit

thank you! I will take a look

malocho (2024-02-16 10:48:30 +0000) edit

@johnthacker sorry for such a silly question... do you speak about the wireshark repo? or where is the repo of tshark?

malocho (2024-03-06 16:11:09 +0000) edit

add a comment see more comments

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account. This space is reserved only for answers. If you would like to engage in a discussion, please instead post a comment under the question or an answer that you would like to discuss.

Add Answer

how to get entire raw packets by using the tshark? edit

Comments

3 Answers

Comments

Comments

Comments