Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

answered 2018-10-29 15:24:05 +0000

cmaynard gravatar image

I don't have an answer for your exact question, but I might have a workable alternative for you.

Instead of using the following to get the payload:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data

Try using this instead:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data.data

That will produce the bytes separated by colon's, :, making it easier to copy/paste for the next step:

tshark -r file2.pcap -Y "data==<paste from step1>"

or

tshark -r file2.pcap -Y "data contains <paste of subset from step1>"

It is odd that -Y and -e don't seem to work the same with respect to data and data.data. Maybe file a bug report for that?

I don't have an answer for your exact question, but I might have a workable alternative for you.

Instead of using the following to get the payload:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data

Try using this instead:

tshark -r file1.pcap -Y frame.number==1 -T fields -e data.data

That will produce the bytes separated by colon's, :, making it easier to copy/paste for the next step:

tshark -r file2.pcap -Y "data==<paste from step1>"

or

tshark -r file2.pcap -Y "data contains <paste of subset from step1>"

It is odd that -Y and -e don't seem to work the same with respect to data and data.data. Maybe file a bug report for that?

EDIT I guess it's not really all that odd after all. data is the name of the protocol whereas data.data is the byte array field of the data dissector. If you were instead to run something like tshark -r file1.pcap -Y frame.number==1 -T fields -e eth, you would see the Ethernet summary line displayed and not the 14 bytes of the Ethernet header. So you're seeing the same with the data dissector here too; it's like the summary line.

Now what's curious is that this summary line should just be text and thus one might expect it to be searchable with the matches (~) operator, as opposed to the contains operator, but that doesn't work. It might be interesting to see if an enhancement could be made to allow for protocol summary lines to work with string operators like matches (~).