Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

I can use the command

sudo tshark -Y "ip.src ==" -T fields -e data

to print the hex contents of the packets I'm sending

No, you can use that command to print the hex contents of any undissected data in those packets.

If Wireshark manages to dissect all the data in a packet as part of some protocol, rather than not knowing some protocol and having to treat that protocol's part of the packet as undissected (because undissectable) data, it will print nothing for the packet.

If you want all the hex data, you could try

sudo tshark -Y "ip.src ==" -x

but you won't get one line per packet - you'll get a variable number of lines per packet, with each line having a hex offset in the packet data followed by 16 bytes of hex data and 16 characters worth of ASCII data (the last line may have fewer than 16 bytes of data).

Note, by the way, that:

1) to quote the doc/README.packaging file in the Wireshark source:


All of the lines of code that involve packet dissection, which is the majority of the lines of code in Wireshark, are also in TShark, so the same warning applies to it.

You probably want to make sure that the dumpcap program (which is what Wireshark and TShark run to capture traffic) was installed to run with elevated privileges (on Linux, either with capture privileges or set-UID privileges), and NOT run TShark as root.

2) You can also use the command

tshark -x src host

for the same purpose, and not have TShark even have to see packets not from

Also, if I open up Wireshark instead of tshark, I can see the contents of the data packets.

If you open up Wireshark, you will probably see the entire hex contents of the packet in the "hex dump" pane of the display; that's what tshark -x prints.

You will probably not see very many places in the packet detail pane where it says just "Data"; those are what the data field corresponds to.