Ask Your Question
0

How to extract text data from pcap file

asked 2019-10-30 08:22:14 +0000

Wernfried Domscheit gravatar image

I received some pcap files and I need to extract sent text data from it.

I tried these:

tshark -T fields -e data -r test_00001_20191007090955.pcap
3c3139303e323031392d31302d30372030373a31303a313720457564656d6f6e20252530315345434c4f472f362f53455353494f4e5f4255494c54286c293a49505665723d342c50726f746f636f6c3d7564702c536f7572636549503d31302e36342e332e312c44657374696e6174696f6e49503d312e312e312e312c536f75726365506f72743d31313431302c44657374696e6174696f6e506f72743d3136312c536f757263654e61 ...

tshark -T fields -e data.data -r test_00001_20191007090955.pcap
3c:31:39:30:3e:32:30:31:39:2d:31:30:2d:30:37:20:30:37:3a:31:30:3a:31:37:20:45:75:64:65:6d:6f:6e:20:25:25:30:31:53:45:43:4c:4f:47:2f:36:2f:53:45:53:53:49:4f:4e:5f:42:55:49:4c:54:28:6c:29:3a:49:50:56:65:72:3d:34:2c:50:72:6f:74:6f:63:6f:6c:3d:75:64:70:2c:53:6f:75:72:63:65:49:50:3d:31:30:2e:36:34:2e:33:2e:31:2c:44:65:73:74:69:6e:61:74:69:6f:6 ...

tshark -T fields -e data.text -r test_00001_20191007090955.pcap
{empty lines}

But I like to get the text output as

<190>2019-10-07 07:10:17 Eudemon %%01SECLOG/6/SESSION_BUILT(l):IPVer=4,Protocol=udp,SourceIP=10.64.3.1 ...

So, I need to convert the HEX values to text.

edit retag flag offensive close merge delete

1 Answer

Sort by ยป oldest newest most voted
0

answered 2019-10-30 10:08:47 +0000

Wernfried Domscheit gravatar image

updated 2019-11-05 13:01:20 +0000

I found the magic flag to set: -o data.show_as_text:TRUE

tshark -T fields -e data.text -o data.show_as_text:TRUE -r test_00010_20191007091905.pcap

prints the desired output.

edit flag offensive delete link more

Your Answer

Please start posting anonymously - your entry will be published after you log in or create a new account.

Add Answer

Question Tools

1 follower

Stats

Asked: 2019-10-30 08:22:14 +0000

Seen: 9,253 times

Last updated: Nov 05 '19