tshark command to write payload to a file

0

Hi, Can some tell me what are the arguments that we need to pass to tshark command to capture all the request and response(http xml) messages and write them to a file in txt format? I am aware of -W option, but the issue is that the file data is not readable; it can only be readable by a tool like wireshark. My plan is to read the payload messages from a java code after getting the data into a file by using tshark command.

asked 28 May '12, 02:19

vikram's gravatar image

vikram
117711
accept rate: 0%

edited 28 May '12, 07:39

cmaynard's gravatar image

cmaynard ♦
3.2k51656

Hi, I am able to use the below command and able to see the payload...

tshark -r test2.log -R "http" -V

(I used tshark -i eth1 -d tcp.port=8101,http -w test2.log for capturing the traffic)

The problem now is along with the payload I see a lot of additional frame network related data. Can someone tell me any filter expression that I can use so that I will get only payload (http req/resp messages) or at least with minimal network related data?

(28 May '12, 06:23) vikram

From the tshark manual page:

NOTE: -w provides raw packet data, not text. If you want text output you need to redirect stdout (e.g. using '>'), don't use the -w option for this.

(28 May '12, 06:28) Jaap ♦
One Answer:
oldestnewestmost voted
1

From the tshark manual page:

-T pdml|psml|ps|text|fields

pdml Packet Details Markup Language, an XML-based format for the details of a decoded packet. This information is equivalent to the packet details printed with the -V flag.

link

answered 28 May '12, 06:31

Jaap's gravatar image

Jaap ♦
6.0k568
accept rate: 11%

Hi Jaap, Thanks a lot for your reply.I am intrested in reading only the actaul messge that is being sent(in my case it is a xml)..is there any way to filter out maxium data that is being captured and get only the payload.When i use the -T pdml even the frames related network information is also coming in the from of xml and the file is becoming too huge.

(29 May '12, 00:24) vikram

tshark -i eth1 -R http -V > test2.txt when i use the above command,the data is coming in txt format..how ever some times the payload messge is only coming as hexadecimal format..is there any filter option to get the payload data as simple text

(30 May '12, 02:07) vikram
Your answer
toggle preview

Follow this question

By Email:

Once you sign in you will be able to subscribe for any updates here

By RSS:

Answers

Answers and Comments

Markdown Basics

  • *italic* or _italic_
  • **bold** or __bold__
  • link:[text](http://url.com/ "Title")
  • image?![alt text](/path/img.jpg "Title")
  • numbered list: 1. Foo 2. Bar
  • to add a line break simply add two spaces to where you would like the new line to be.
  • basic HTML tags are also supported

learn more about Markdown

Tags:

×245
×24

Asked: 28 May '12, 02:19

Seen: 1,523 times

Last updated: 30 May '12, 02:07

Related questions

Printing tcp payload using tshark -T fields?

Dump raw packet 'data' field only?

how to get only the headers of a packet

Decapsulation of data

How to get Profinet IO payload to .csv

How can I get the payload using the command line

Packet capture and Apache logs do not agree - data discrepencies

Creating a csv file with tshark

control of tshark -V output

How to create analysed statistics like wireshark at commandline (with tshark or ...)

about | faq | privacy | support | contact

powered by OSQA