tshark get only application level data bytes

asked 2019-09-26 22:05:04 +0000

rogerz343
1 ●1 ●1 ●2

I'm using tshark to get a .csv of various fields, and I want the application level data (above tcp/udp) as one of the fields. For some of the frames I can get this from "data.data" but not for the frames whose application level protocol has already been dissected.

Is there a way to get just the (app-level) data above tcp/udp layer (in either raw bytes or hex string) for all of the frames? I don't want to use "-x" or something like that to get all of the bytes since then I have to first remove the lower-level layers.

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2019-09-27 00:06:06 +0000

Chuckc
2858 ●5 ●567 ●19

updated 2019-09-27 04:09:50 +0000

Brute force might be to have a profile with all protocols disabled except ethernet, ipv4, ipv6?, tcp and udp. Use "-C" to specify the profile to load and print the data.data field.

tshark -r .\http-riverbed-one.pcapng -C data_data -e "data.data" -Tfields -Y data.data > tmp.fil

edit flag offensive delete link

add a comment

answered 2019-09-27 07:50:08 +0000

SYN-bit

18344 ●9 ●301 ●255 https://SYN-b.it

For TCP, there is the field tcp.payload which is the TCP segment (payload) of the packet, regardless of the upper layer protocol.

For UDP there is not yet(?) such a field. If you would like such a field to be added, you might want to add a feature request on https://bugs.wireshark.org

edit flag offensive delete link

add a comment

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

tshark get only application level data bytes

2 Answers

Your Answer

Question Tools

Stats

Related questions

tshark get only application level data bytes edit

2 Answers

Your Answer

Question Tools

Stats

Related questions

tshark get only application level data bytes