Ask Your Question

Revision history [back]

I'm not aware of any tshark capabilities to restrict the output to specific bytes, only whole fields, using the -e field selector. The data field is available as a fallback when no other dissector is able to further dissect the payload, this may be due to there being no dissector for the traffic, the dissector being disabled, the traffic not being on the "expected" port, or other reasons.

I think you will have to post process the tshark output using external tools to extract the particular data you require.