Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2020-10-19 16:34:33 +0000

Chuckc gravatar image

(Test file on Wireshark wiki )


$ cat ./mktcpfile
#!/bin/bash

TIMESTAMP=""
PAYLOAD=""

read TIMESTAMP PAYLOAD
while [ "$TIMESTAMP" ]
do
    echo $TIMESTAMP
    echo $PAYLOAD > $TIMESTAMP.txt
    read TIMESTAMP PAYLOAD
done



$ tshark -r ../200722_tcp_anon.pcapng -T fields -e tcp.time_relative -e tcp.payload -Y tcp.payload | ./mktcpfile
0.004678000
0.005701000
0.005734000
0.005745000
0.005752000
0.005762000
0.005770000
0.005776000
8.657441000
10.162740000
12.385270000
$
$ ls
0.004678000.txt  0.005734000.txt  0.005752000.txt  0.005770000.txt  10.162740000.txt  8.657441000.txt
0.005701000.txt  0.005745000.txt  0.005762000.txt  0.005776000.txt  12.385270000.txt  mktcpfile
$ cat ./0.004678000.txt
68656c6c6f0a
$

Sharkfest video on using tshark:
SF19US - 04 Solving (SharkFest) packet capture challenges with only tshark (Sake Blok)