This is a static archive of our old Q&A Site. Please post any new questions and answers at ask.wireshark.org.

Payload only

0

Hello,

Does anyone know the easier way to get only the payload of IP packets ("data" on IP datagram).

Indeed, when I capture packets, it returns me the entire datagram (with the addresses ...) but I only need the payload.

Thanks, Regards

asked 14 Jul '14, 12:41

chi's gravatar image

chi
11113
accept rate: 0%

edited 14 Jul '14, 12:44


One Answer:

0

Does anyone know the easier way to get only the payload of IP packets ("data" on IP datagram).

easier than what?

Indeed, when I capture packets, it returns me the entire datagram (with the addresses ...)

sure, that's what Wireshark is mainly used for. Troubleshooting network problems. For that you need several parts of the packets, especially the headers and also the payload. It depends on the problem.

but I only need the payload.

You can extract the payload with tshark or other pcap extraction tools. As you did not tell us enough details, I can only answer in a general way.

There are several ways to extract the payload of frames.

tshark -nr input.pcap -T pdml

and then parse the tshark pdml output.

tshark -nr input.pcap -Vx

and then parse the tshark output.

tshark -nr input.pcap -z follow,tcp,1

and then parse the tshark output. See the tshark man page for more details.

There are also other tools to extract data from a pcap file:

http://isc.sans.edu/diary/Tools+for+extracting+files+from+pcaps/6961

If that isn't what you are looking for: Please add more details to your question!

Regards
Kurt

answered 15 Jul '14, 02:43

Kurt%20Knochner's gravatar image

Kurt Knochner ♦
24.8k1039237
accept rate: 15%

That seems perfect, thanks a lot !

Regards, Chi

(15 Jul '14, 08:22) chi

You're welcome.

(15 Jul '14, 08:31) Kurt Knochner ♦