How do I extract the hex section from a pcap file?

asked 2019-11-12 22:51:46 +0000

a__lmonkey
1 ●1 ●1 ●2

updated 2019-11-12 23:03:08 +0000

for homework, i was given a captured pcap file from a USB and was told to identify a 'flag' which it contains.

I've researched the right code (Tshark) to use for this, however, I don't know what field to refer to in order to extract the flag from it - I feel like it would be the hexadecimal values that need to be extracted for the contents of the USB but I don't know how to refer to it when using tshark.

tshark -r targetFile.pcapng -T fields -e _ws.col.Info > outFile.csv

here is the code I have, the -e is referring to the 'info' column of Wireshark but I want to extract the hex values at the bottom, what is the correct syntax for this?

please thank you

edit retag flag offensive close merge delete

add a comment

2 Answers

Sort by » oldest newest most voted

answered 2019-11-13 08:33:31 +0000

grahamb

flag of United Kingdom of Great Britain and Northern Ireland

23835 ●4 ●973 ●227 https://www.wireshark.org

updated 2019-11-13 16:13:18 +0000

cmaynard

11115 ●11 ●317 ●165 https://www.igt.com/

Extra fields are specified in the command by adding a -e argument with the field name, use multiple -e field.name arguments for multiple fields. You can find the field name in the GUI by selecting the field of interest in the packet details pane and looking at the info in the status bar at the bottom left. The field name is in parentheses.

edit flag offensive delete link

add a comment

answered 2019-11-13 16:25:21 +0000

Chuckc
3023 ●6 ●608 ●20

" I want to extract the hex values at the bottom"

https://www.wireshark.org/docs/man-pa...

-x
Cause TShark to print a hex and ASCII dump of the packet data after printing the summary and/or details, if either are also being displayed.

edit flag offensive delete link

add a comment